VirusW32/Chir.A@mm
Analysis
- Virus is 32bit, with a size of 10799 bytes
- Virus contains code to identify the computer name
and store it as a constant in memory for use during
propagation
- When executed, the virus copies itself to the Windows\System
folder as “runonce.exe” and also modifies
the registry to load this file at Windows startup
–
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Runonce = Windows\System\runouce.exe -
Next, the virus attempts to locate machines connected on the network by implementing calls via MPR.DLL – the virus then attempts to copy itself in Base64 format to those systems, if writeable, as [infectedhost computername].eml
-
Virus may attempt to send itself using SMTP to addresses found on the host system, with a malformed MIME header, and also an I-Frame exploit in an attempt to initiate the email attachment automatically, and in this format –
From: iloveyou@btamail.net.cn
Subject: Hi,i am [username]
Attachment: p.exe
Virus contains this string in its body – “ChineseHacker”
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |