- Virus is 32bit with a UPX compressed size of 27,138
- When executed, virus may attempt to disable processes
which might match the following names -
Virus may copy itself to the Recycle Bin folder as a random six letter file name
and modify the registry to run a copy of the virus any time an EXE file is run, as in this example -
(Default) = ""c:\recycled\xxxxxx" undefined1 undefined*"
* Where "xxxxxx" is the name of the file created in the Recycle Bin.
Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text.
Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened or previewed in Outlook -
- The email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file.
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option