W97M/Service.A@mm

description-logoAnalysis

  • Virus consists of one macro module within the class storage which is renamed from "ThisDocument" to "NOSN"
  • Virus hooks Word event handlers which prevents the opening of infected documents
  • Virus is polymorphic due to algorithmic comments appended to instruction codes
  • Virus checks registry entry

    HKEY_CURRENT_USER\Software\Microsoft\Office\
    "NOSN" =
    "Non au Service National - Oui au Contrat de Travail"

    If the value is not set, it runs the email routine which sends to all contact entries in the Global address book of Outlook

    • Email is sent to others in one of several formats, depending on a random chance selection

      In a 32undefined chance-
      Subject = "Suggestion..."
      Body = "Ce document (" [infected document name] ") vaut bien un petit coup d'oeil.J'aimerais savoir s'il correspond à ce qu'on attends de lui."

      In a 34undefined chance-
      Subject = "Un peu d'aide..."
      Body = " - Du fait qu'il soit tout bonnement impossible d'assurer 10 mois de loyer sans salaire sur cette période, "

      In a 34undefined chance-
      Subject = "Version finale"
      Body = "Voici la dernière version de ce sur quoi j'ai travaillé ces derniers temps (Document1).Tous les avis sont la bienvenue !"

      Attachment = [an infected Word document file]

    • Modifies the registry key as mentioned so the virus will not run the email routine again


Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR