VirusW97M/ColdApe.B
Analysis
- Virus consists of one macro module within the class
storage
- Virus hooks Word event handlers which prevents
the opening or closing of documents
- Virus is polymorphic by appending user environment
settings as comments into the virus code
- A registry entry is made on infected hosts mainly
as a flag to the virus that it has infected the system
already-
"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0\"
"VM-DC" = (day of the month host became infected)
- A registry entry is created to run a .VBS file
infector at Windows startup-
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"
"AVM" = C:\Windows\AVM.VBS
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |