W32/Wanor@mm

description-logoAnalysis

  • Virus is 32bit and was coded using Visual Basic 5 with a size of 71,168 bytes
  • Virus requires VB5 runtime library file MSVBVM50.DLL in order to be a threat
  • If virus is run, it will copy itself as “Winm.exe” to the Inf folder within Windows and then modify the registry to load at Windows startup –
    HKEY_CURRENT_USER\Software\Microsoft\
    CurrentVersion\Run\
    Windows main module = Windows\Inf\Winm.exe

    HKEY_CURRENT_MACHINE\Software\Microsoft\
    CurrentVersion\Run\
    Windows main module = Windows\Inf\Winm.exe

    HKEY_CURRENT_MACHINE\Software\Microsoft\CurrentVersion\RunServices\
    Windows main module = Windows\Inf\Winm.exe

  • Virus will copy itself to the Windows folder as Winscr.scr

  • Additional files may be created related to this virus into the Windows\System folder –
    Msdepw32.dll
    Msdtv.dll
    WinConsl.dll

  • Virus will attempt to send an email to every contact found in the Outlook Address book in one email with an infectious file attachment named Winscr.scr – the subject and body of the emails are chosen from a short list of possible choices

  • Virus may attempt to copy itself to shared folders for peer-to-peer file sharing applications Morpheus, eDonkey2000, Grokster and Sharebear

  • Virus contains this text string in its code –
    Nucleus of Kernel has been Loaded Successful

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR