VirusW95/Weird.10240
Analysis
- Viral body is 10,240 bytes and is prepended to
files
- Virus locates Explorer.exe and copies it as a new
file into the Windows folder with a single character
extension such as "Explorer.m" - the virus
then infects this copy
- Virus attempts to overwrite existing application
Explorer.exe with the infected copy using a method
involving WININIT.INI to replace files at Windows
startup - this method does not work properly on Windows
NT based operating systems
- Virus infects files in the Windows\System folder
and any file accessed afterwards
- Virus opens a connection to the Internet using
TCP port 17300 - this is done in an effort to allow
remote access to the infected host
- Virus contains the following text string -
Coded by Weird
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |