W32/Yaha.E@mm
Analysis
- Virus is 32bit with a UPX compressed size of 27,138
bytes
- When executed, virus may attempt to disable processes
which might match the following names -
ANTIVIR
ATRACK
AVCONSOL
AVP.EXE
AVP32
AVSYNMGR
CFINET
CFINET32
F-PROT95
FP-WIN
F-STOPW
IAMAPP
ICMON
IOMON98
LOCKDOWN2000
LUALL
LUCOMSERVER
MCAFEE
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NISSERV
NISUM
NMAIN
NORTON
NVC95
PCCIOMON
PCCMAIN
PCCWIN98
POP3TRAP
PVIEW95
RESCUE32
SAFEWEB
SYMPROXYSVC
VSHWIN32
VSSTAT
WEBSCANX
WEBTRAP
ZONEALARM -
Virus may copy itself to the Recycle Bin folder as a random six letter file name
and modify the registry to run a copy of the virus any time an EXE file is run, as in this example -HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ""c:\recycled\xxxxxx" undefined1 undefined*"* Where "xxxxxx" is the name of the file created in the Recycle Bin.
-
Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text.
-
Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened or previewed in Outlook -
- The email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file.
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |