W32/Yaha.X@mm
Analysis
- The virus is 32bit with a compressed file size of
66,048 bytes
- If virus is run, it will use imports from PSAPI.DLL
in order to enumerate threads and processes and then
attempt to terminate them - these processes are related
to Antivirus or utility application software
- The virus may replace the content of .HTM or .HTML
files with the following script -
<BR><BR><BR><CENTER><B><U> Ha..Ha..Haaa...</CENTER></U></B>
-
The virus may harvest the hard drive for email addresses by looking in such places as the registry and various files on the infected system - the email addresses are used by the virus to send variable subject / body emails with an infectious attachment
-
The virus seeks contact names from the MSN Messenger and Yahoo application from the registry
-
The virus may parse UIN files associated with ICQ chat client and retrieve email addresses
-
The virus creates two files "HOSTS." And "LMHOSTS." - these files contain IP resolution changes so that attempts to browse to the following sites redirect the browser to 127.0.0.1 -
www.symantec.com
www.microsoft.com
www.sophos.com
www.kaspersky.com
www.avp.ru
www.mcafee.com
www.nai.com
www.trendmicro.com
-
The virus will modify the registry to ensure the likelihood of the virus being executed numerous times - when files with .BAT, .EXE or .COM are run, the virus will run first and the initial file may or not execute -
HKEY_CLASSES_ROOT\batfile\shell\open\command\
"@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*HKEY_CLASSES_ROOT\comfile\shell\open\command\
"@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*HKEY_CLASSES_ROOT\exefile\shell\open\command\
"@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
"@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
"@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
"@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*Original value for "@" in above keys ="undefined1" undefined*
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |