Threat Encyclopedia

W32/Scold.B@mm

Analysis

• Virus is 32bit with a compressed file size of 28,160 bytes, and is a minor variant of W32/Scold.A-mm
  
• Virus is introduced to a target system via an email attachment from another infected user
  
• If the virus is run, it may copy itself to the undefinedWindowsundefined folder as "warm.scr" and modify the registry to auto run this virus at next Windows startup

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
  ExeName32 = C:\WINNT\warm.scr
  

• The virus will create an email message for each contact listed in the Windows address book - the email message may be slightly varied with the following properties -

  Subject: undefinedxundefined When It´s Cold Outside She Gives Me Warm Inside undefinedrandom
  Body 1:
  You will love this cute picture.

  Body 2:
  Enjoy this great picture.

  Body 3:
  Don't miss this cool picture.

  Additional Body:
  ============= Free Online Virus Scan =============
  100undefined VIRUS FREE
  No viruses or suspicious files were found in the attached file.
  Attachment: undefinedrandomundefined.scr
  

• In the example above, undefinedxundefined is either "", "Fw:" or "Re:", and undefinedrandomundefined is random letters
  

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option


• Enable blocking of .SCR file attachments using FortiGate manager interface for POP3, SMTP and IMAP email services
  
• Add the following words to the Email quarantine feature of FortiGate -

  Cold+Outside+She+Gives+Me+Warm+Inside
  

• Configure email server applications to quarantine emails tagged by FortiGate and delete as necessary