VBS/Typhoid

description-logoAnalysis

  • Virus is coded in VBScript and is 6962 bytes
  • If virus is run, it sets variables to various values based on a randomizing routine – the variables are as follows –

    random name:
    "SoupNazi"
    "AL"
    "George"
    "Jerry"
    "Hal"
    "Elaine"
    "Kraimer"
    "Newman"
    "Tron"
    "Colossus"
    "Homer"
    "Odysseus"
    "Romeo"
    "Juliet"
    "Vlad"

    random path:
    "c:\"
    "c:\windows\"
    "c:\program Files\"
    "c:\windows\system\"
    "c:\windows\sendto\"
    "c:\windows\command\"
    "c:\windows\start menu\programs\startup\"
    "c:\windows\command\ebd\"

  • Virus modifies registry to load at Windows startup-

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    (random name) = (random path)\(random name).vbs

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    (random name) = (random path)\(random name).vbs

  • Virus writes AUTOEXEC.BAT as a new file with this content –
    echo > prn Typhoid <By: icarus>

  • On systems which use AUTOEXEC.BAT at bootup, the instruction above would cause an error message to occur due to the use of the pipe syntax “<” and “>”. Perhaps the virus author intended for the text “Typhoid <By: icarus>” to be sent to the local printer.

  • Virus replaces contents of files with its own code, if files have the following extensions -

    1 in 5 chance these extensions are targeted:
    *.
    *.bmp
    *.jpg
    *.jpeg
    *.gif

    1 in 5 chance:
    *.
    *.vbs
    *.vbe
    *.js
    *.je

    1 in 5 chance:
    *.
    *.htm
    *.html
    *.chm
    *.cgi

    1 in 5 chance:
    *.
    *.txt
    *.doc
    *.wav
    *.mp3

  • Virus attempts to send itself to contacts from the Outlook address book – a typo prevents the virus from actually attaching itself – emails are still sent however

  • Virus constructs messages based on a table of possible subject lines and body content –

    Subject: (random name from list of 15 names)
    Possible body text:
    "Check out the AWESOME game attached!"
    "No time to explain! Catch ya later!"
    "Kill the pokemon in this game!"
    "Check this one out!"
    "SouthPark game....."
    "Here is ALOT of funny jokes! Open the attachment to read them."
    "Attached is information on the Monica Lewinsky scandal! A Must Read!"
    "I have attached a politician bowling game! Woo Hoo! Kill the IRS!"
    ""

  • Virus contains these comments-

    rem Typhoid
    rem <By: icarus> Hack The Planet!

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR