W32/Yaha.P@mm

description-logoAnalysis

  • Virus is 32bit, with a compressed size of 45,568 bytes
  • Virus icon resembles that of a TXT file associated with Notepad
  • Virus may search the following list and attempt to terminate several Antivirus or firewall related applications, based on a table of names
  • Virus may copy itself to the Windows\System folder as “exeLoader.exe”, and modify the registry to run this any time an EXE file is run –

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ““C:\Windows\System\exeLoader.exe””undefined1“undefined*

    * original value for above was
    (Default) = “undefined1” undefined*

  • Virus modifies the registry to run at Windows startup –

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    MicrosoftServiceManager = C:\Windows\System\mstask32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    MicrosoftServiceManager = C:\Windows\System\mstask32.exe

  • Virus will create additional keys in the system registry –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Snakes\
    Author = R0xx
    Comments = This system belongs to the great Indians…
    Version = 2
    Web = http://www.indiansnakes.cjb.net
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\ZoneCheck\
    (Default) = pcb.gov.pk

    HKEY_LOCAL_MACHINE\Software\Microsoft\WinVer\
    (Default) = jsgpoo

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR