W32/MSInit.B

description-logoAnalysis

  • Virus is 32bit, with a UPX compressed size of 220,672 bytes
  • When first executed, virus will copy itself as "wininit.exe" to the Windows\System folder.
  • Virus will modify the registry in order to load at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    bymer.scanner =
    C:\Windows\System\wininit.exe -hide -install

  • Virus will seek machines which are connected to the network via NetBIOS and attempt to connect to systems which have a full system share available -

    • machines found will be targets for the virus, and the virus will copy itself to that system and modify the WIN.INI to load the virus at next Windows startup
  • This variant contains the DNETC.EXE Distributed.Net client application, which is the reason for a noticeable size difference between variants .A and .B.
  • Virus contains these strings -

    [parameters]
    id=bymer@ukrpost.net

    [misc]
    project-priority=OGR,RC5,CSC,DES

    [rc5]
    fetch-workunit-threshold=64

    [ogr]
    fetch-workunit-threshold=16

    [triggers]
    restart-on-config-file-change=yes

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR