VirusW32/Yenik.A@mm
Analysis
- Virus is 32 bit with a packed file size of 18,432
bytes
- The virus is kind of buggy in that it requires
to be run from the System folder as "updater.exe",
otherwise it could cause an Illegal Page Fault [with
itself] when executed
- The virus will read addresses from the Windows
address book and write them into a TEXT file named
YENIK.TXT - this file is later removed
- The virus will then compose an email for each address
found - the subject lines and body text may be different
among emails, and all will have an infectious file
attachment; below are an example of possible subjects
and body text -
Subjects possible:
Big Virus Cleaner Tools
Free Antivirus
Internet Explorer Security Bug Fix
New Big Patcher
New Private Message
New Security Patcher
No Virus and New Life
Virus Hunter in your box
Win98 Security ToolsBody text possibilities:
(1)
What are Viruses, Trojan Horses and Worms? "Though these terms are often used interchangeably, they refer to different types of "malicious computer programs.(2)
Guide to Online Security "Protecting your privacy and information online is extremely important to Yahoo!. We are " constantly evaluating our security technologies to ensure we are taking every reasonable "step to protect your personal information.(3)
Disabling System Restore (Windows Me/XP) "If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System" Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your "computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System "Restore may back up the virus, worm, or Trojan on the computer.Attachment file names:
FreeAntivirus.exe
InternetExplorerSecurity.exe
NewVirusCleaner.exe
Patcher.exe
PrivateMessage.exe
VirusHunherII.exe
W32-Myd00m_Blocker.exe
Win98Security.exe
WinXP-SP1.exe
-
The virus could write itself to any of these hard-coded folders -
C:\Program Files\Bearshare\Shared\
C:\Program Files\eDonkey2000\Incoming\
C:\Program Files\eMule\Incoming\
C:\Program Files\Grokster\My Grokster\
C:\Program Files\ICQ\Shared Folder\
C:\Program Files\Kazaa Lite K++\My Shared Folder\
C:\Program Files\Kazaa Lite\My Shared Folder\
C:\Program Files\Kazaa\My Shared Folder\
C:\Program Files\Morpheus\My Shared Folder\as any or all of these file names -
DivX Pro.exe
ICQ Hacker.exe
Half Life 2 Original KeyGen.exe
GTA Keygen.exe
Windows Password Cracker.exe
Matrix Screen Saver.exe
NetBIOS Hacker.exe
New Exploit.exe
Kaspersky Anti-Hacker.exe
Linux Kernel Hacker.exe
Ftp Hacker.exe
PopStar-Firdevs.mp3.exe
PopStar-Abidin.mp3.exe
PopStar-Bayhan.mp3.exe
New Keylogger.exe
Hotmail Hacker.exe
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |