Virus

W32/Scold.A@mm

Analysis

  • Virus is 32bit with a compressed file size of 28,160 bytes
  • Virus is introduced to a target system via an email attachment from another infected user
  • If the virus is run, it may copy itself to the undefinedWindowsundefined folder as "warm.scr" and modify the registry to auto run this virus at next Windows startup
  • The virus will create an email message for each contact listed in the Windows address book - the email message may be slightly varied with the following properties -

    Subject: undefinedx When It´s Cold Outside She Gives Me Warm Inside undefinedrandom
    Body 1:
    You will love this cute picture.

    Body 2:
    Enjoy this great picture.

    Body 3:
    Don't miss this cool picture.

    Additional Body text -

    ============= Free Online Virus Scan =============
    100undefined VIRUS FREE
    No viruses or suspicious files were found in the attached file.
    Attachment: undefinedrandom.scr

  • In the example above, undefinedx is either no value, or it's one of the following -

    Fw:
    Re:

    And undefinedrandom is random letters

Recommended Action

  • Enable blocking of .SCR file attachments using FortiGate manager interface for POP3, SMTP and IMAP email services
  • Add the following words to the Email quarantine feature of FortiGate -

    Cold+Outside+She+Gives+Me+Warm+Inside

  • Configure email server applications to quarantine emails tagged by FortiGate and delete as necessary