W32/Argdoor.A
Analysis
- Virus is 32 bit with a compressed file size of 58,368
- Virus is capable of spreading to other computers
across a network, and then functioning as a bot awaiting
instructions from a malicious user
- If virus is run, it seeks other computers across
a network by targeting the IPC$ share - once connected,
the virus attempts to copy itself to any of these
paths if available for write access as the file "MsUpdate.exe"
-
\Windows\Start Menu\Programs\Startup
\Windows.000\Start Menu\Programs\Startup
\Win98\Start Menu\Programs\Startup
\WinME\Start Menu\Programs\Startup
\Documents and Settings\All Users\Start Menu\
Programs\Startup
-
The virus may attempt to connect with any of these IRC servers -
RiDe.nightrun.com.ar
RiDe.beztia.com.ar
RiDe.damaged.com.ar
RiDe.digitalsword.com.arand join one of these channels -
#R1DerS
#Pr1de
#D4mageD
-
When the virus is running in memory, a Mutex exists by this name -
"ProtoType_v2:Mutex:Th1sM34nsW4r:m4ss1v3:RiDe:2.3.1(500)"
-
The registry could be updated to run the virus every time an EXE file is run -
HKEY_CLASSES_ROOT\exefile\shell\open\command\
(Default) = (path of MsUpdate.exe)\MsUpdate.exe undefined1
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option