W97M/Service.A@mm
Analysis
- Virus consists of one macro module within the class
storage which is renamed from "ThisDocument"
to "NOSN"
- Virus hooks Word event handlers which prevents
the opening of infected documents
- Virus is polymorphic due to algorithmic comments
appended to instruction codes
- Virus checks registry entry
HKEY_CURRENT_USER\Software\Microsoft\Office\
"NOSN" =
"Non au Service National - Oui au Contrat de Travail"If the value is not set, it runs the email routine which sends to all contact entries in the Global address book of Outlook
- Email is sent to others in one of several formats,
depending on a random chance selection
In a 32undefined chance-
Subject = "Suggestion..."
Body = "Ce document (" [infected document name] ") vaut bien un petit coup d'oeil.J'aimerais savoir s'il correspond à ce qu'on attends de lui."In a 34undefined chance-
Subject = "Un peu d'aide..."
Body = " - Du fait qu'il soit tout bonnement impossible d'assurer 10 mois de loyer sans salaire sur cette période, "In a 34undefined chance-
Subject = "Version finale"
Body = "Voici la dernière version de ce sur quoi j'ai travaillé ces derniers temps (Document1).Tous les avis sont la bienvenue !"Attachment = [an infected Word document file]
- Modifies the registry key as mentioned so the virus will not run the email routine again
- Email is sent to others in one of several formats,
depending on a random chance selection
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |