Virus

W32/Zoher.A@mm

Analysis

Variants added to detection in v4.557 AV db update

  • Virus is 32bit, with a size of 6656 bytes
  • If virus is run on a host, it will attempt to retrieve a file “list.txt” from the website “banners.interfree.it” and use this file as a configuration of Subject line, Body text and file attachment name in order to create potentially different messages – the file is no longer available
  • The virus will then attempt to send itself based on the data from “list.txt” – since the file is no longer available, emails would not contain an attachment or body text
  • Virus arrives as an attachment, from infected users, in an MIME format message
  • Message is structured such that an I-Frame exploit will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook
  • Attachment launches and initiates an emailing routine, sending a copy of itself to each contact listed in the Outlook address book

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option