Virus

W32/Yaha.Q@mm

Analysis

  • Virus is 32bit, with a compressed size of 44,544 bytes
  • Virus icon resembles that of a TXT file associated with Notepad
  • Virus may search the following list and attempt to terminate several Antivirus or firewall related applications, based on a table of names
  • Virus may copy itself to the Windows\System folder as “exeLoader.exe”, and modify the registry to run this any time an EXE file is run –

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ““C:\Windows\System\exeLoader.exe””undefined1“undefined*

    * original value for above was
    (Default) = “undefined1” undefined*

  • Virus modifies the registry to run at Windows startup –

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    Windows Task = C:\Windows\System\wintask32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    Windows Task = C:\Windows\System\wintask32.exe

  • Virus will create additional keys in the system registry –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Snakes\
    Author = R0xx
    Comments = This system belongs to the great Indians…
    Version = 2.01 Beta
    Web = http://www.indiansnakes.cjb.net
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZoneCheck\
    (Default) = pakistan.gov.pk

  • HKEY_LOCAL_MACHINE\Software\Microsoft\WinVer\
    (Default) = xbthsn

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text

  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option