VirusW97M/Verlor.A
Analysis
- Virus consists of one macro module named "module"
- Virus hooks Word event handlers which prevents
the closing of infected documents
- Virus searches the macro storage of host files
for the string
"'MyName = Overlord"
which exists in the virus body, as a means to determine if the host file is already infected
-
Virus writes a VBScript file to the Windows folder as "overlord.b.vbs" and modifies the WIN.INI configuration file to load this VBScript at Windows startup in an effort to maintain Word environment infection
-
Virus contains these comment lines-
'WrittenBy = f0re [UC/Skamwerks/DVC]
'Version = .B (1.1) -
Virus deletes "c:\Himem.sys", creates a new file named "c:\Himem.sy_", writes the full path name of the infected document into this file, then copies c:\Himem.sy_ as c:\Himem.sys
-
Virus changes "registered owner" details in the registry-
"HKEY_LOCAL_MACHINE\software\"
"RegisteredOwner" = "the Overlord"
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |