W97M/Titch.D
Analysis
- Virus is practically identical to W97M/Thus.A in
function, only some lines of code are commented
- Virus consists of one macro module within the class
storage
- Virus hooks Word event handlers which prevents
the closing of infected documents
- Virus searches the macro storage of host files
for the string
"'Thus_001'"
which exists in the virus body, as a means to determine if the host file is already infected
-
On December 13th of any year, virus searches for all files in all subdirectories and attempts to delete them
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |