W32/Foobot.Backdoor
Analysis
- Virus is 32bit and was coded using Visual Basic
6
- Virus requires VB6 runtime library MSVBVM60.DLL
on target system in order to be a threat
- When executed, virus may copy itself to the Windows
folder as “mspread.exe” and launch itself
- Virus will attempt to download an ActiveX control
from this location –
http://thecleaner.publication.org.uk/vbruntimes/MSWINSCK.OCX
And copy this file to the Windows\System32 folder
- The virus will attempt to download “foobot.exe”
from an Angelfire.com website which is a remote access
Trojan
- The remote access Trojan will listen for instructions
which may include the ability to download files from
an Internet location and even execute them remotely
- It will then attempt to connect to other computers
and map a drive Q: to that system using the “net
use” command – if successful, the virus
will attempt to copy itself to that system in the
following paths –
Q:\Documents and Settings\All Users\Start Menu\Programs\Startup\mspread.exeQ:\Documents and Settings\All Users\Menu Start\
Programma's\Opstarten\mspread.exe
Q:\Documents and Settings\All Users\Start-meny\Program\Autostart\mspread.exe
Q:\Windows\Start menu\programs\startup\mspread.exe -
Virus connects to the Internet and listens for instructions or awaits a login attempt from a hacker or group of hackers
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |