W97M/ColdApe.A
Analysis
- Virus consists of one macro module within the class
storage
- Virus hooks Word event handlers which prevents
the opening or closing of documents
- A registry entry is made on infected hosts mainly
as a flag to the virus that it has infected the system
already-
"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0\"
"VM-DC" = (day of the month host became infected)
- A registry entry is created to run a .VBS file
infector at Windows startup-
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"
"AVM" = C:\Windows\AVM.VBS
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |