W32/Sexer.A@mm
Analysis
- Virus is 32bit with a compressed size of 112,496
bytes
- The virus is introduced to the system as an email
attachment
- If the virus is run, it may write itself to the
local system as "c:\sex.exe"
- The virus will locate the Windows Address book
by looking in the registry for the path info, then
it will attempt to send itself to all contacts found
as an attachment to an email message
- The email message will not be static - the subject
and body text will be varied based on a randomization
and a table of possible subjects and body tex
- The virus will use the MAPI application Outlook
in order to send its messages to others
- The virus will change the background desktop image
to be text written in Russian or similar language
using Arial Cyrillic font - the image may be written
to the local system as "c:\sex.bmp"
- The virus may modify the registry to load at Windows
startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win2Drv\
"Win2Drv" = 01, 00, 00, 00HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Win2Drv" = undefinedpathundefined\sex.exe
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |