| ID | 15540 |
| Released | Sep 30, 2002 |
| Description Updated | Jul 03, 2003 |
Detection Availability
| FortiClient | |
|---|---|
| Extreme |
|
| FortiMail | |
| Extreme |
|
| FortiSandbox | |
| Extreme |
|
| FortiWeb | |
| Extreme |
|
| Web Application Firewall | |
| Extreme |
|
| FortiIsolator | |
| Extreme |
|
| FortiDeceptor | |
| Extreme |
|
| FortiEDR |
|
Threat Profile
Aliases:- VBS.Mcon
Visual Basic Script
Refine Search
Threat Encyclopedia
VBS/Sorry.C
Analysis
- Virus is coded in VBScript and is 11,033 bytes
- Virus adds a key in the registry to load at Windows
startup-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\ttfload = (.VBS filename) -
Virus scans a range of IP addresses and
- attempts to map the host to the target IP address
- attempts to search all subfolders on the target
system, and copy itself as the filename "ttfloads.vbs"
into matching subfolder names
startm~1\programs\startup\
profiles\admini~1\startm~1\programs\startup\
profiles\alluse~1\startm~1\programs\startup\
- attempts to map the host to the target IP address
- Virus modifies existing SCRIPT.INI mIRC configuration
file to send "sndvol.vbs" to others
- Virus contains this comment line -
'ttfloader.vbs v0.4 by: soRRyAzzC0DER
