VBS/Wimpey.A !tr
Analysis
- Virus is coded in Batch script and is 2,790 bytes
- If virus is run, it may immediately disable the
keyboard and the mouse by passing parameters into
RUNDLL.EXE in command line
- Virus will then write code using a redirect of
output and create a file as "c:\Windows\outlook.vbs"
- this written file is known as VBS/Wimpey.A-mm by
FortiGate virus definitions
- Virus will launch outlook.vbs immediately after
creating it
- Outlook.vbs instructs Outlook to construct a message
in the following format -
Subject: Warning
Body:
Warning There Is A Virus Spreading Around. For Full Deatails Please Open The Attachment
Attachment: Outlook.vbs
-
Outlook.vbs will run a loop counter and send the message to all contacts found in all available contact lists
-
Outlook.vbs does not run at Windows startup - it only runs on execution by initiation by the dropper program or by user curiosity
-
If the virus is ever run in the future either accidentally or on purpose, the file outlook.vbs will be modified by the virus with appended and duplicate code - this duplication of code will cause outlook.vbs to not run
-
The virus will attempt to delete files in the current folder -
*.jpg
*.bmp
*.avi
*.mov
*.sys
*.txt
*.dll
*.pwd
Recommended Action
- Ensure FortiGate unit is updated to Virus Definitions
4.114
- Using the Administrator Console for the Fortigate
Unit, in the section "Email Filter", add
these words to the "Banned Word" list -
Full+Deatails+Please+Open+The+Attachment
-
On the tab "Config" in the "Email Filter" section, modify the "email tag" by typing into the entry box a tag such as this one -
[POSSIBLE VIRUS]
-
Configure the email server to quarantine email messages which are tagged by the FortiGate unit as matching the banned word criteria