Virus

W32/Whog.878.B

Analysis

Variants added to detection in v4.557 AV db update

  • Virus is 32bit and targets Windows 95/98/Me platform .EXE files
  • Virus loads into memory and uses a call to the device driver IFSMGR in order to may API system and infect files which are run either by the user or by the file system
  • Virus appends its code to target files – the virus body is 878 bytes
  • The virus may alter the “start page” key in the system registry to cause Internet Explorer to point to the url “http://202.115.16.8/~ekang” when the browser is launched
  • Virus contains this string in its code –
    Lock IE Start Page Ver 2.0,By Whg 2001.6.13

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option