W97M/Ramiel.A@mm
Analysis
- Infects Microsoft Word 97 and later Word documents.
- Polymorphic mass-mailing Word macro virus.
- As its polymorphic mechanism, it Inserts a line of randomly-generated characters between every other line of source code.
- Inside Microsoft Word:
Disables Macro virus protection
Disables Tools|Macro toolbar and hotkey
Disables Tools|Templates and Add-ins... and hotkey
Disables Tools|Customize and hotkey
Disables Tools|Options and hotkey - Disables Alt+F11 (VBA Editor) hotkey. If user attempts this key combination, a dialog box with the following text is displayed:
Se Trato de acceder a un componente no valido
- Upon infecting a document, will set or change document properties to:
Author: Machinedramon
Subject: Ramiel
Comments: Derechos Reservados
Organization: GEDZACMarcas Registradas: GEDZAC
Hecho en el Peru, Calidad Mundial
Sachiel2015@latinmail.comContrasenas: Ramiel, leimaR, Rlaemi
- If it is the 3rd day of the week (Tuesday), inserts the following text into the document:
Mientras Dios se quede en su cielo, todo en la tierra estara bien. Geofronte - Dist 1 de Tokio3 Ramiel
- If it is the 21st day of the month, sets Application username to "Ramiel", and sets the document password to one of the three following passwords:
Ramiel
leimaR
Rlaemi
- As an aside, December 21st, 2004 is both a Tuesday and is the 21st. Both of the above trigger conditions will exist.
- Contains code to use Microsoft Outlook to send itself as an email attachment to all users found in the Outlook Address book. The subject and message body are random, chosen from the following possibilities:
Subject
Articulo de interes
Te envio este documento
Encontre un articulo interesante
Consejo
Preocupacion
Message Body
Te envio este articulo, tal vez te interese,
me escribes para saber como te parecio
Adios
Quisiera que me des tu opinion sobre este documento,
que te envio, espero tu opinion
Adios
Te envio este articulo lo encontre
en una paginaWeb y lo copie en word,
tal vez te sea de utilidad
Adios
Hola, nesecito que me des tu opinion sobre un asunto,
Te envio el documento que recibi, lo pase a Word
estoy indeciso, te agradeceria si me dieras tu opinion, Adios
Me tiene preocupado un documento que recibi, lo transcribi a computadora
quisiera que me des tu opinion, tal vez no sea para tanto.
Adios
- Sets IE Explorer startup page to:
http://www.gratisweb.com/machinedramon1/sachiel.jpg.scr.
- When the user launches the IE browser, they will be taken to this site where the file sachiel.jpg.scr is downloaded and executed. The aforementioned page is no longer valid.
- Scans Windows registry, searching for the following known entries of some common antivirus and firewall software. For each instance that is found this threat attempts to delete "*.exe" (within the path) in attempt to disable the application.
HKEY_LOCAL_MACHINE\Software\Hacksoft\The Hacker Anti-Virus\THDAT\
HKEY_LOCAL_MACHINE\Software\PER Systems\PER Antivirus\Instalación\dirPrincipal
HKEY_LOCAL_MACHINE\Software\Command Software\F-PROT32\Location
HKEY_LOCAL_MACHINE\Software\FRISK Software International\FP-Win\Program Root
HKEY_LOCAL_MACHINE\Software\McAfee\VirusScan\Location
HKEY_LOCAL_MACHINE\Software\Cybec\VET Antivirus for Win32\Resident\VetPath
HKEY_LOCAL_MACHINE\Software\ALWIL Software\Avast32\Path
HKEY_USERS\.DEFAULT\Software\MooSoft Development\The Cleaner\tcshellex
HKEY_LOCAL_MACHINE\Software\Panda Software\Panda Antivirus 6.0\Path
HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\100\Folder
HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps\NAV
HKEY_LOCAL_MACHINE\Software\Norman Data Defense Systems\RootPath
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\Anti-Virus\Resident\VetPath
HKEY_LOCAL_MACHINE\Software\Zone Labs\ZoneAlarm\InstallDirectory
HKEY_LOCAL_MACHINE\Software\Network ICE\BlackICE\Installer
HKEY_LOCAL_MACHINE\Software\TinySoftware\Tiny Personal Firewall\2.00\DestPath
HKEY_LOCAL_MACHINE\Software\Sygate Technologies, Inc.\Sygate Personal Firewall\smc_install_path
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |