W32/Zafi.A@mm
Analysis
Variants added to detection in v4.557 AV db update
Specifics
This 32-bit virus has a packed file size of 11,776.
The virus is coded to send itself to email addresses
which contain the suffix ".hu" [country code
for Hungary].
Loading At Windows Startup
If virus is run, it will write itself to the System32
folder as randomly named EXE file such as "xpjzolns.exe"
and register itself to run at each Windows startup,
as in this example -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"zciojhxq" = C:\WINNT\System32\xpjzolns.exe
K2
Email Spreading Routine
The virus will search the hard drive looking for email
addresses - the virus selects only email addresses which
have the suffix ".hu", limiting spreading
to Hungarian domains. The virus stores emails found
into randomly named .DLL files in the System32 folder.
The virus will create an email with static details and file attachment name, then send itself using its own built in SMTP code. Attachments will have this name -
"link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com"
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, enable blocking of .COM files via SMTP, POP3 and IMAP services
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |