VirusW32/Reur.C!worm.p2p
Analysis
- Virus is 32bit with a compressed file size of 424,832
bytes
- The virus poses as a "crack" utility
or possibly as a "key generator", both are
generally used to make shareware or trial versions
of applications fully functional
- If the virus is run, it will display a fake error
message like this -
ERREUR
The file are corrupted. Please obtain a new copy of the program.
[OK]
-
it will copy itself to the undefinedWindowsundefined\System32 folder by a random file name, and modify the registry to auto run at next Windows startup as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
3F781D13 = C:\WINNT\SYSTEM32\3F781D13.exe
-
The virus will search the hard drive for the common installation path of eMule for English Windows
-
The virus will write files into the shared folder of eMule if it finds these files or file folder
C:\Program Files\eMule\eMule.exe
C:\Program Files\eMule\config\preferences.ini
C:\Program Files\eMule\Incoming\
-
The virus could write the following files -
AOL Hacker 2004.exe
Hotmail Hacker 2004.exe
Portable Orange (FT) Keygen.exe
Yahoo Mail Hacker 2004.exe
WinZip All Version Keygen.exe
WinRAR All Version Keymaker.exe
Sexy ScreenSaver 2004.exe
Free Hard Porn 2004.exe
Wanadoo Hacking Tool 2004.exe
Alcohol 120undefined 1.4.8.1009 CORE Keygen.exe
Homeworld 2 DEViANCE Keygen.exe
Recommended Action
- Avoid downloading .EXE files with peer-to-peer applications
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |