VBS/VBSWG.AU
Analysis
VBS/VBSWG.AU - 05-12-07
Files:
- Copies itself to: + undefinedSystemDirectoryundefined
- Delete Files
Installation to System:
- When run, it copies itself to:
Windows folder - And creates these registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinUpdate" = "wscript.exe undefinedWinDirundefined\mypics.vbs"
More Info:
It atttempts to spread through Internet Relay Chat channels by modifying the script.ini file. It then creates the file mypics.txt that contains the following text strings: "you have been infected with the mypics viri" It deletes the file C:\Program Files\America Online 9.0\aol.exe, then copies itself as autoexec.exe in the root folder of Drive C, and as winpgup.exe in the "C:\windows\system" folder.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |