W32/Stepaik!worm.p2p
Analysis
- The virus is 32bit with a file size of 86,016 bytes
- If virus is run, it may copy itself to the undefinedWindowsundefined\System32
folder as "asrss.exe" and modify the registry
to load at Windows startup, as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
System Recovery Agent = c:\winnt\system32\asrss.exe
-
When the virus runs at next Windows startup, it will create a Mutex named "AMX" and run as a process
-
The virus may also copy itself to the Shared folder of Kazaa, as in this example -
c:\program files\kazaa\my shared folder\alegia.pif
c:\program files\kazaa\my shared folder\KazaaXPSetup.exe
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |