W32/Yodo.B@mm

description-logoAnalysis

  • Virus is 32bit with a size of 73,728 bytes
  • V irus was coded using Visual Basic 6 and requires the Runtime Library MSVBVM60.DLL
  • If virus is run, it will copy itself as C:\Windows\ecard.exe and possibly modify the registry to load at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    E-Card = ecard.exe

  • The virus may also delete *.ini files from "C:\windows"

  • The virus may display a dialogue box with this detail -

    Greet
    Hello once again Dolly! We are back for round three ^_-

  • The virus may construct an email in the following format and send it to all contacts listed in all address lists from the Outlook address book -
    Subject: A E-card just for you from your friend
    Body:
    Hello. I just wanted to send you this e-card
    to show you how much of a friend you are to
    me! Please look at the attached E-card.
    Scanned with Norton Anti-Virus
    Attachment: ecard.exe

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR