Virus

W32/Weird.A

Analysis

This is a 32-bit virus designed to infect other EXE files on the compromised system. Infected files increase in size by 14Kb but the system time and date of the file does not change.

KERNEL32.DLL Replacement
This virus seeks to replace KERNEL32.DLL with a patched/infected copy. W32/Weird accomplishes this by replacing the existing copy with a modified and infected copy if the system is restarted / rebooted. The virus writes the infected copy as "KERNEL32.A" into the undefinedSystemundefined folder and creates a config file named "wininit.ini" to replace the good copy with the infected copy.

Miscellaneous
Sometimes an infected file will have a marker in the PE header, indicating the virus had infected the file -

Coded by Weird

Infected files are identified as "W32/Weird.A".

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option