VBS/Typhoid
Analysis
- Virus is coded in VBScript and is 6962 bytes
- If virus is run, it sets variables to various values
based on a randomizing routine – the variables
are as follows –
random name:
"SoupNazi"
"AL"
"George"
"Jerry"
"Hal"
"Elaine"
"Kraimer"
"Newman"
"Tron"
"Colossus"
"Homer"
"Odysseus"
"Romeo"
"Juliet"
"Vlad"random path:
"c:\"
"c:\windows\"
"c:\program Files\"
"c:\windows\system\"
"c:\windows\sendto\"
"c:\windows\command\"
"c:\windows\start menu\programs\startup\"
"c:\windows\command\ebd\"
-
Virus modifies registry to load at Windows startup-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
(random name) = (random path)\(random name).vbsHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
(random name) = (random path)\(random name).vbs
-
Virus writes AUTOEXEC.BAT as a new file with this content –
echo > prn Typhoid <By: icarus> -
On systems which use AUTOEXEC.BAT at bootup, the instruction above would cause an error message to occur due to the use of the pipe syntax “<” and “>”. Perhaps the virus author intended for the text “Typhoid <By: icarus>” to be sent to the local printer.
-
Virus replaces contents of files with its own code, if files have the following extensions -
1 in 5 chance these extensions are targeted:
*.
*.bmp
*.jpg
*.jpeg
*.gif1 in 5 chance:
*.
*.vbs
*.vbe
*.js
*.je1 in 5 chance:
*.
*.htm
*.html
*.chm
*.cgi1 in 5 chance:
*.
*.txt
*.doc
*.wav
*.mp3
-
Virus attempts to send itself to contacts from the Outlook address book – a typo prevents the virus from actually attaching itself – emails are still sent however
-
Virus constructs messages based on a table of possible subject lines and body content –
Subject: (random name from list of 15 names)
Possible body text:
"Check out the AWESOME game attached!"
"No time to explain! Catch ya later!"
"Kill the pokemon in this game!"
"Check this one out!"
"SouthPark game....."
"Here is ALOT of funny jokes! Open the attachment to read them."
"Attached is information on the Monica Lewinsky scandal! A Must Read!"
"I have attached a politician bowling game! Woo Hoo! Kill the IRS!"
""
-
Virus contains these comments-
rem Typhoid
rem <By: icarus> Hack The Planet!
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |