W32/Whog.878.B
Analysis
Variants added to detection in v4.557 AV db update
- Virus is 32bit and targets Windows 95/98/Me platform
.EXE files
- Virus loads into memory and uses a call to the
device driver IFSMGR in order to may API system and
infect files which are run either by the user or by
the file system
- Virus appends its code to target files –
the virus body is 878 bytes
- The virus may alter the “start page”
key in the system registry to cause Internet Explorer
to point to the url “http://202.115.16.8/~ekang”
when the browser is launched
- Virus contains this string in its code –
Lock IE Start Page Ver 2.0,By Whg 2001.6.13
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option