W32/Virut.CE
Analysis
W32/Virut.CE is a polymorphic, appending, cavity and encrypted file infector that targets Win32 EXE/SCR, HTM, ASP and PHP files.
- Vx_5
- key: LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
- value: \??\undefinedSystemundefined\winlogon.exe
- data: "\??\undefinedSystemundefined\winlogon.exe:*:enabled:@shell32.dll,-1"
- CreateFile
- CreateProcess
- CreateProcessEx
- OpenFile
- QueryInformationProcess
- OTSP
- WC32
- WCUN
- WINC
- key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
- value: UpdateHost
- data: "{binary value}"
Win32 Infection
- Type 1 - EPO, appending, and multi-layer encryption (contains a decoder stub as cavity)
- Type 2 - Non-EPO, appending, and multi-layer encryption (contains a decoder stub as cavity)
- Type 3 - EPO, appending, and single-layer encryption
- Type 4 - Non-EPO, appending, and single-layer encryption
- Type 5 - Damaged (no jump going to virus code)
Webpage Infection
- HTM
- PHP
- ASP
- http://www.zi[Removed].pl
- http://pro[Removed].pl
- http://www.tEe[Removed].com
- http://j[Removed].pl
HOSTS File Modification
- 127.0.0.1 Zi[Removed].pl
- 127.0.0.1 j[Removed].pl
- 127.0.0.1 pro[Removed].pl
- 127.0.0.1 tEe[Removed].com
IRC Backdoor
- zi[Removed].pl
- pro[Removed].pl
- tEe[Removed].com
- j[Removed].pl
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |