This virus is 32-bit, with a UPX packed file size of 43,247 bytes. It was coded using Visual Basic 5, and parts of the code are further encrypted in an effort to avoid detection by string parsing methods.
If virus is executed, it may display a fake error dialogue
box like this -
The virus will copy itself as two files to the System32 folder, and register itself to load at Windows startup. The name of the files will be variable depending on a file name table and random concatenation of strings from that table. For example, the file name table contains these strings -
sys, host, dir, expoler, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
Using the table, the virus could construct file names like these -
and so on. The registry will have entries to load the
newly created executables.
Mass mailing routine
The virus will harvest emails from the infected system by scanning certain file types and compiling email capture log files. The log files are stored in the System32 folder as "datamx.dam" and "dgsfzipp.gmx".
The virus is selective with the emails that it will use when sending itself to others - it avoids using email addresses which have these strings in the address -
The virus will use fuzzy logic to determine if the recipient can receive emails in German text. If the suffix of the email address is any of these -
.de, .ch, .at, .li
the virus will send emails with a body text in German, otherwise the body text is in English.
The file attached to the email message could either
be a .ZIP file or a directly executable file with extensions
such as .COM, .EXE, .PIF, .SCR or .BAT. The virus stores
UUEncoded copies of itself in both ZIP and executable
formats on the local system.
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
- Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services