W32/Wootboot.DU!tr
Analysis
- The virus is a PE file packed with modified-UPX
- Adds the value "internet Explorer"="iexplore.exe" in the registry path:
- It drops a copy of itself to "undefinedsystemundefined" directory as iexplore.exe.
- Register a service by creating the following registry key:
- It attempts to seek and kill the following processes:
- The virus search for IPC$ shared folders, and attempt to brute-force the remote system with a long user name and password dictionary
- Attempt to connect to remote IRC server to open a backdoor
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\System\CurrentControlSet\Services\iexplore.exe
"ZONEALARM.EXE"
"_AVP32.EXE"
"_AVPCC.EXE"
"_AVPM.EXE"
"WrAdmin.EXE"
"WrCtrl.EXE"
"XPF202EN.EXE"
"ZAPRO.EXE"
"ZAPSETUP3001.EXE"
"ZATUTOR.EXE"
"ZAUINST.EXE"
"ZONALM2601.EXE"
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
- Download and install the patch for MS04-011 vulnerability.
URL: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Patch
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |