VirusW97M/Nono.A
Analysis
- Virus consists of two macro modules, one a class
macro named "ThisDocument" and the other
is variable and named after the Word user initials,
such as "JD"
- Virus hooks Word event handlers which prevents
the opening or closing of infected documents
- On the 10th of any month and 30 minutes, 16 seconds
after the hour, a dialogue box may be displayed-
Title Bar: Hard.Poppy
Body Text: Run Animation?
If Yes is chosen, the dialogue box continues to be displayed. If No is chosen, the dialogue box exits without any further action.
- Virus contains other code which is never executed
- Virus exports its code to a file named after the Word user initials, such as "C:\JD."
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |