W32/Chir.A@mm
Analysis
- Virus is 32bit, with a size of 10799 bytes
- Virus contains code to identify the computer name
and store it as a constant in memory for use during
propagation
- When executed, the virus copies itself to the Windows\System
folder as “runonce.exe” and also modifies
the registry to load this file at Windows startup
–
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Runonce = Windows\System\runouce.exe -
Next, the virus attempts to locate machines connected on the network by implementing calls via MPR.DLL – the virus then attempts to copy itself in Base64 format to those systems, if writeable, as [infectedhost computername].eml
-
Virus may attempt to send itself using SMTP to addresses found on the host system, with a malformed MIME header, and also an I-Frame exploit in an attempt to initiate the email attachment automatically, and in this format –
From: iloveyou@btamail.net.cn
Subject: Hi,i am [username]
Attachment: p.exe
Virus contains this string in its body – “ChineseHacker”
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |