Virus

W32/Squirrel!worm

Analysis

This virus is 32-bit with instructions to append its code to other 32-bit file targets. This virus uses library imports from MPR.DLL in order to enumerate available resources or target systems across a network.
The virus will look for files with extensions of EXE or SCR. The virus will confirm that the file is a target by comparing the first two bytes - if they match "MZ" or 0x4D5A, then the file is a possible host. Next, the virus searches for the PE header, notated in 32-bit files by "PE" or 0x5045.
In infected files, the virus places a marker 8 bytes after the PE header - the marker is 0x636F6F6C, or the word "cool". The virus checks if this infection marker exists in potential files. Not finding the marker, the virus will add another PE section named ".chi" and append its code into the newly created section. The section size is 2048 bytes in size, and the actual virus code is 2018 bytes. Infected files increase in size by 2048 bytes.
The virus will search for target hosts on all mapped drives from C: to Z:.

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option