W32/Wukill.E@mm
Analysis
- During the testing of this virus, the researcher used a Windows 98 system configured with Outlook Express. This threat did not function as expected; the MsDoStray.com file did not drop to the proper location. No infected attachments or emails were sent.
- If run on a computer that meets the MS Visual Basic and MS Outlook requirements, this threat attempts to drop a file named MsDoStray.com to the Windows or Windows\System folder. At the same time it also attempts to modify the Windows registry (HKLM\....\CurrentVersion\Run\), pointing to the MsDoStray.com executable file.
- Upon restart, MsDoStray loads as a process, and begins a search of various Outlook folders (Inbox, Sent, etc.) for future potential hosts.
- For each valid email address found, this threat composes an email complete with an infected attachment. It then uses MS Outlook to send the email to each found address.
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |