Threat Encyclopedia



  • Virus is 32bit and has a compressed file size of 73,728 bytes
  • Virus was coded using Visual Basic 6
  • The virus is introduced to the system as an email attachment
  • The virus will write a copy of itself into the undefinedWindowsundefined\System32 folder as several possible file names, and then modify the registry to load at Windows startup as in this example -

    (value) = C:\WINNT\System32\syshostx.exe

    (value) = C:\WINNT\System32\syshostx.exe

  • The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -


  • The virus will write a file "savesyss.dll" to undefinedWindowsundefined\System32 - savesyss.dll will contain all of the email addresses found on the system

  • The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from savesyss.dll - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list

  • The email subject and body text may be either English or German

  • Some of the following file names are used in an attempt to trick the recipient into thinking the file attachment is a web site link -

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services

Telemetry logoTelemetry