VirusW32/MSNCorrupt
Analysis
- Detection included into Fortinet Virus Update March
14 2003
Firmware 2.30 AV definition 4.056
Firmware 2.36 AV definition 4.056
- Trojan is 32bit with a size of 69,632 bytes, and
was coded using Visual Basic 6
- Trojan requires VB6 runtime library MSVBVM60.DLL
on target system in order to be a threat
- When executed, Trojan may copy itself to the Windows
folder as “SysOps.exe” and launch itself,
and modify the registry in order to load at next Windows
startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"SysOps" = SysOps
- Trojan will wait for the infected user to initiate
MSN Messenger – if this application is run,
the Trojan virus may disable all incoming messages
and send a notification message to the author of the
virus as an alert that the Trojan is running on the
victim’s computer
- Trojan has functionality to allow uploads to the
victim’s machine and remotely execute the uploaded
files as well as initiate a message flood attack against
a contact listed in the MSN Messenger’s contact
list of the infected user
- The Trojan attempts to disable Task Manager application
via the registry however this is not functional in
Windows 98 –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr" = 01, 00, 00, 00
- Trojan contains the string “M$N Corruption”
in its code
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |