VirusVBS/VBSWG.AU
Analysis
VBS/VBSWG.AU - 05-12-07
Files:
- Copies itself to: + undefinedSystemDirectoryundefined
- Delete Files
Installation to System:
- When run, it copies itself to:
Windows folder - And creates these registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinUpdate" = "wscript.exe undefinedWinDirundefined\mypics.vbs"
More Info:
It atttempts to spread through Internet Relay Chat channels by modifying the script.ini file. It then creates the file mypics.txt that contains the following text strings: "you have been infected with the mypics viri" It deletes the file C:\Program Files\America Online 9.0\aol.exe, then copies itself as autoexec.exe in the root folder of Drive C, and as winpgup.exe in the "C:\windows\system" folder.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |