This 32-bit mass-mailer is packed with a file size of 14,245 bytes. This virus has its own SMTP engine, and tries to use the mail exchange record of target email addresses by first performing a DNS query against the domain name of email addresses gathered on the infected system.

Mass-mailing Routine
The virus will harvest emails from the host system by scanning files of certain extensions for what is considered a valid email address. The virus will scan the hard drive searching for valid email addresses, and will construct varied email messages with an infectious attachment then send to each address found on the infected system.

Next the virus uses its own SMTP code to attempt to log into MX servers which could exist for each found email address. The subject and body text are variable with only a couple of different possibilities, and the virus tries to attach itself to the email as a .ZIP file with a random name.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option