W32/Taripox.B
Analysis
- Virus is 32bit and has a UPX compressed size of
21,504 bytes
- When virus is executed, it will write itself to
the Windows folder as “mmoplib.exe”
- Virus will modify the registry to load at Windows
startup-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
mmopl = C:\Windows\mmoplib.exe
- When emails are sent via SMTP, virus may add an
infected file attachment to the original email, as
in this example –
[Original]
To: [anyone]
Subject: [anything]
Body: [anything]
Attachment: [none][Modified]
To: [anyone]
Subject: [anything]
Body: [anything]
Attachment: [infected file attachment] -
Virus contains this string –
W32.Taricone-B.worm@proxy by I.V.E.L.