W32/Hybris.D@mm
Analysis
- Virus is 32bit, with a size of 25,088 bytes and
is compressed
- When executed, this virus will copy itself as a
randomly assigned name to the Windows\System folder
and modify the registry to load this file at Windows
startup
- Virus will attempt to patch WSOCK32.DLL, monitor
email retrieval and sending events in an attempt to
collect email addresses and send a copy of the virus
to recipients tracked
- Virus has the ability to monitor a newsgroup feed
for binary updates or patches, which can alter the
code and functionality of the virus - the feeds are
no longer being posted however
- Virus has ability to retrieve update patches from
Internet web sites related to the virus author, which
can alter the code and functionality of the virus
- the updates are no longer available
- Virus arrives as an attachment from infected users
most commonly in this format -
From: hahaha@sexyfun.net
Subject: Snow White and the Seven Dwarfs - The REAL Story!
Attachment: dwarf4you.exe*The email content is dependent on the host operating system language.
-
Virus contains the string -
"HYBRIS"
near the top of an infected file
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |