W32/MyDoom!worm
Analysis
This threat contains instructions to harvest email addresses and uploads the data to an FTP server. The threat does not contain any replication code and does not spread to other systems by email.
Email Address Gathering
The threat scans files with certain extensions for email addresses and saves
them as "emails.txt". The contents of "emails.txt" is uploaded
to a hard-coded ftp server. This is accomplished by the threat using imports
from WININET.dll -
FtpPutFileA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
The threat uses a hidden Internet Explorer process to connect to the FTP server in an effort to avoid detection by firewall programs.
Miscellaneous
The email gathering routine resembles that of MyDoom virus variants.
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
- Quarantine/Delete infected files detected
FortiGate systems:
FortiClient systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |