This virus is 32-bit with a packed file size of 15,993 bytes. The virus contains instructions to spread via SMTP and to copy itself to folders with certain names in their title.
This virus will harvest email addresses from files with these extensions; htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr.
The virus avoids selecting addresses which may have these names represented in the domain portion of the address -
The virus writes email addresses found to short text files in the System32 folder as files named like this -
and so on.
Loading at Windows startup
The virus will register itself to run at each Windows startup by creating this registry key and value -
_svchost.con = C:\Winnt\System32\svchost.com
The virus contains code to initiate a denial of service attack against three web sites -
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option