VirusW32/Wootboot.DU!tr
Analysis
- The virus is a PE file packed with modified-UPX
- Adds the value "internet Explorer"="iexplore.exe" in the registry path:
- It drops a copy of itself to "undefinedsystemundefined" directory as iexplore.exe.
- Register a service by creating the following registry key:
- It attempts to seek and kill the following processes:
- The virus search for IPC$ shared folders, and attempt to brute-force the remote system with a long user name and password dictionary
- Attempt to connect to remote IRC server to open a backdoor
• HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run
• HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\System\CurrentControlSet\Services\iexplore.exe
• "ZONEALARM.EXE"
• "_AVP32.EXE"
• "_AVPCC.EXE"
• "_AVPM.EXE"
• "WrAdmin.EXE"
• "WrCtrl.EXE"
• "XPF202EN.EXE"
• "ZAPRO.EXE"
• "ZAPSETUP3001.EXE"
• "ZATUTOR.EXE"
• "ZAUINST.EXE"
• "ZONALM2601.EXE"
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
- Download and install the patch for MS04-011 vulnerability.
URL: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Patch
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |