W32/Zoher.A@mm
Analysis
Variants added to detection in v4.557 AV db update
- Virus is 32bit, with a size of 6656 bytes
- If virus is run on a host, it will attempt to retrieve
a file “list.txt” from the website “banners.interfree.it”
and use this file as a configuration of Subject line,
Body text and file attachment name in order to create
potentially different messages – the file is
no longer available
- The virus will then attempt to send itself based
on the data from “list.txt” – since
the file is no longer available, emails would not
contain an attachment or body text
- Virus arrives as an attachment, from infected users,
in an MIME format message
- Message is structured such that an I-Frame exploit
will cause the attachment to launch automatically
when the message is either opened, or previewed in
Outlook
- Attachment launches and initiates an emailing routine, sending a copy of itself to each contact listed in the Outlook address book
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |