W32/Yaha.P@mm
Analysis
- Virus is 32bit, with a compressed size of 45,568
bytes
- Virus icon resembles that of a TXT file associated
with Notepad
- Virus may search the following list and attempt
to terminate several Antivirus or firewall related
applications, based on a table of names
- Virus may copy itself to the Windows\System folder
as “exeLoader.exe”, and modify the registry
to run this any time an EXE file is run –
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ““C:\Windows\System\exeLoader.exe””undefined1“undefined** original value for above was
(Default) = “undefined1” undefined* -
Virus modifies the registry to run at Windows startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MicrosoftServiceManager = C:\Windows\System\mstask32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
MicrosoftServiceManager = C:\Windows\System\mstask32.exe -
Virus will create additional keys in the system registry –
HKEY_LOCAL_MACHINE\Software\Microsoft\Snakes\
Author = R0xx
Comments = This system belongs to the great Indians…
Version = 2
Web = http://www.indiansnakes.cjb.net
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\ZoneCheck\
(Default) = pcb.gov.pkHKEY_LOCAL_MACHINE\Software\Microsoft\WinVer\
(Default) = jsgpoo - Next, the virus will scavenge the local drive for
email addresses and send a copy of itself to addresses
found in varying email formats, based on a randomly
selected subject line and body text
- Message is structured such that it uses an exploit
which will cause the attachment to launch automatically
when the message is either opened, or previewed in
Outlook
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |