W32/Wanor@mm
Analysis
- Virus is 32bit and was coded using Visual Basic
5 with a size of 71,168 bytes
- Virus requires VB5 runtime library file MSVBVM50.DLL
in order to be a threat
- If virus is run, it will copy itself as “Winm.exe”
to the Inf folder within Windows and then modify the
registry to load at Windows startup –
HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run\
Windows main module = Windows\Inf\Winm.exeHKEY_CURRENT_MACHINE\Software\Microsoft\
CurrentVersion\Run\
Windows main module = Windows\Inf\Winm.exeHKEY_CURRENT_MACHINE\Software\Microsoft\CurrentVersion\RunServices\
Windows main module = Windows\Inf\Winm.exe -
Virus will copy itself to the Windows folder as Winscr.scr
-
Additional files may be created related to this virus into the Windows\System folder –
Msdepw32.dll
Msdtv.dll
WinConsl.dll
-
Virus will attempt to send an email to every contact found in the Outlook Address book in one email with an infectious file attachment named Winscr.scr – the subject and body of the emails are chosen from a short list of possible choices
-
Virus may attempt to copy itself to shared folders for peer-to-peer file sharing applications Morpheus, eDonkey2000, Grokster and Sharebear
-
Virus contains this text string in its code –
Nucleus of Kernel has been Loaded Successful
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |