| ID | 408 |
| Released | Nov 11, 2002 |
| Description Updated | Dec 28, 2004 |
Detection Availability
| FortiGate | |
|---|---|
| Extreme |
|
| FortiClient | |
| Extended |
|
| FortiMail | |
| Extended |
|
| FortiSandbox | |
| Extended |
|
| FortiWeb | |
| Extended |
|
| Web Application Firewall | |
| Extended |
|
| FortiIsolator | |
| Extended |
|
| FortiDeceptor | |
| Extended |
|
Threat Profile
Aliases:- Kuang2
- W95/Kuang.gen
Win95 file format
Refine Search
Threat Encyclopedia
W95/Weird.10240
Analysis
- Viral body is 10,240 bytes and is prepended to
files
- Virus locates Explorer.exe and copies it as a new
file into the Windows folder with a single character
extension such as "Explorer.m" - the virus
then infects this copy
- Virus attempts to overwrite existing application
Explorer.exe with the infected copy using a method
involving WININIT.INI to replace files at Windows
startup - this method does not work properly on Windows
NT based operating systems
- Virus infects files in the Windows\System folder
and any file accessed afterwards
- Virus opens a connection to the Internet using
TCP port 17300 - this is done in an effort to allow
remote access to the infected host
- Virus contains the following text string -
Coded by Weird
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
