W32/Atak.C
Analysis
Specifics
This 32-bit mass-mailer is packed with a file size of
14,245 bytes. This virus has its own SMTP engine, and
tries to use the mail exchange record of target email
addresses by first performing a DNS query against the
domain name of email addresses gathered on the infected
system.
Mass-mailing Routine
The virus will harvest emails from the host system by
scanning files of certain extensions for what is considered
a valid email address. The virus will scan the hard
drive searching for valid email addresses, and will
construct varied email messages with an infectious attachment
then send to each address found on the infected system.
Next the virus uses its own SMTP code to attempt to log into MX servers which could exist for each found email address. The subject and body text are variable with only a couple of different possibilities, and the virus tries to attach itself to the email as a .ZIP file with a random name.
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |