W32/Yodo.B@mm
Analysis
- Virus is 32bit with a size of 73,728 bytes
- V irus was coded using Visual Basic 6 and requires
the Runtime Library MSVBVM60.DLL
- If virus is run, it will copy itself as C:\Windows\ecard.exe
and possibly modify the registry to load at next Windows
startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
E-Card = ecard.exe
-
The virus may also delete *.ini files from "C:\windows"
-
The virus may display a dialogue box with this detail -
Greet
Hello once again Dolly! We are back for round three ^_-
-
The virus may construct an email in the following format and send it to all contacts listed in all address lists from the Outlook address book -
Subject: A E-card just for you from your friend
Body:
Hello. I just wanted to send you this e-card
to show you how much of a friend you are to
me! Please look at the attached E-card.
Scanned with Norton Anti-Virus
Attachment: ecard.exe
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |