Virus

W95/Weird.10240

Analysis

  • Viral body is 10,240 bytes and is prepended to files
  • Virus locates Explorer.exe and copies it as a new file into the Windows folder with a single character extension such as "Explorer.m" - the virus then infects this copy
  • Virus attempts to overwrite existing application Explorer.exe with the infected copy using a method involving WININIT.INI to replace files at Windows startup - this method does not work properly on Windows NT based operating systems
  • Virus infects files in the Windows\System folder and any file accessed afterwards
  • Virus opens a connection to the Internet using TCP port 17300 - this is done in an effort to allow remote access to the infected host
  • Virus contains the following text string -

    Coded by Weird

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option