W32/Datom.A
Analysis
- Virus is written in a high-level language and consists
of three files -
MSVXD.exe - 58,368 bytes - copies files, initiates MSVXD16.dll
MSVXD32.dll - 81,408 bytes - contains hooks for MPR.dll, WSOCK32.dll
MSVXD16.dll - 54,784 bytes - contains registry modification code -
When virus is executed, it enumerates available shares via Network Neighborhood and attempts to connect to the share, and infects it by copying all three components to the Windows folder of the target machine.
-
The WIN.INI will also be attempted for modification on the target system in order to load MSVXD.exe at next Windows startup.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2018-09-25 | 62.46700 | Sig Updated |