W32/Polip.A
Analysis
This is a polymorphic virus for 32bit portable executable (PE) files.
When this virus infects a target file, it adds a PE section reference into the PE header, and an additional PE section is inserted into the host file. The entry point may also be modified to point directly to the infectious code, but in some cases, the viral code is referenced later in the code sequence. The new code section may appear between existing code sections, or it could be an appended section. Files that become infected grow in size by 60Kb or more.
Miscellaneous
The new section will not have a name association such as ".idata"
or ".rsrc".
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
- Quarantine/Delete infected files detected and replace
infected files with clean backup copies
FortiGate systems:
FortiClient systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |