W32/Wallon.D@mm
Analysis
This virus is 32-bit, and is ASPack packed with a file size in excess of 150,000 bytes.
If the virus is executed, it will send emails to addresses found in the Windows address book [wab], and attempt to download and run a binary executable.
When the virus sends its email messages to target addresses, it avoids selecting addresses that have any of these names -
microsoft
support
software
webmaster
postmaster
admin
The virus then constructs an HTML encoded message body for the email in this format -
A href="http://drs.yahoo.com/undefinedrecipient domainundefined/NEWS/*http://www.security-warning.***/*********/*******/www.YAHOO.com/#http://drs.yahoo.com/undefinedrecipient domainundefined/NEWS" http://drs.yahoo.com/undefinedrecipient domainundefined/NEWS
In the above, "undefinedrecipient domainundefined" refers to the domain of the email address targeted by the virus. Additionally, the actual URL above has been edited with multiple asterisks to protect the curious.
The virus attempts to create a simple URL for email recipients using an email client that supports HTML. The URL would display in the message body as in this example -
http://drs.yahoo.com/hotmail.com/NEWS
Where "hotmail.com" is the domain of the email recipient. Clicking the link would redirect the browser to attempt to download a copy of the virus from a hosting web site. That hosting location is no longer available or was disabled.
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |