W32/Zindos.A!worm
Analysis
Specifics
This 32-bit threat attempts to locate W32/MyDoom.N-mm
infected systems, as evident by the target system listening
on TCP port 1034. The virus attempts to connect to that
port and upload itself, causing the infected system
to execute the uploaded file.
After infected a system, the virus loads into memory and waits for a period of time before sending out persistent "get" requests in an effort to cause a denial-of-service attack against 'microsoft.com'.
Loading At Windows Startup
If the virus runs, it will register itself to load at
each Windows startup from its current location on the
compromised system -
HKEY_LOCAL_MACHINE\System\Microsoft\Windows\CurrentVersion\Run\
Tray = (path of virus)\(virus file name)
The file name does not matter for this virus to launch,
and could potentially be named anything.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, deny access to inbound
traffic using TCP port 1034; it will be necessary
to first create a custom service under the "Firewall"
setting within the FortiGate manager
- Select Firewall -> Service -> Custom
- Under Protocol, select TCP/UDP
- Select New
- Enter a unique service name
- Enter 1034 for Low and High under Destination Port, select Add
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |