VirusW97M/DB.A
Analysis
- Virus consists of one macro module within the class
storage, which is renamed from "ThisDocument"
to "WM97_DocBombing"
- Virus hooks Word event handlers which prevents
the opening or closing of infected documents
- Virus checks the class storage to see if the name
is "WM97_DocBombing" -
if it is not, then all lines of code which may exist there are removed, and the virus copies itself to that location, then renames the storage to "WM97_DocBombing"
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |