W97M/Verlor.A
Analysis
- Virus consists of one macro module named "module"
- Virus hooks Word event handlers which prevents
the closing of infected documents
- Virus searches the macro storage of host files
for the string
"'MyName = Overlord"
which exists in the virus body, as a means to determine if the host file is already infected
-
Virus writes a VBScript file to the Windows folder as "overlord.b.vbs" and modifies the WIN.INI configuration file to load this VBScript at Windows startup in an effort to maintain Word environment infection
-
Virus contains these comment lines-
'WrittenBy = f0re [UC/Skamwerks/DVC]
'Version = .B (1.1) -
Virus deletes "c:\Himem.sys", creates a new file named "c:\Himem.sy_", writes the full path name of the infected document into this file, then copies c:\Himem.sy_ as c:\Himem.sys
-
Virus changes "registered owner" details in the registry-
"HKEY_LOCAL_MACHINE\software\"
"RegisteredOwner" = "the Overlord"
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |