W32/Scorvan.A
Analysis
- Virus is 32bit with a compressed size of 15,872
bytes
- When virus is launched, it initiates an instance
of the application CALC in order to mask its appearance
– the virus loads into memory and waits for
a period of time before performing other actions
- Virus may attempt to copy itself to the root drive
as a constructed filename:
[part 1] + “ “ + [“Calc.exe” or “Calculator.exe” or “Analyzer.scr”]
In the above, “part 1” is selected from the following list of names:
Basic, Scientific, Brain, Flames, Lovers, Loving, Trojan, Virus, Sperm, Blood, Heart, Lemmings, Worm, vAndEEd0, Scorpion, Permutation, The Best, Cool, Modified, Love, FBI, Hackers, Hacker, Game, Friendship
-
Virus may use a new constructed file name to copy itself into the shared folder location for peer-to-peer file sharing applications Kazaa, Bearshare, KMD, Limewire, Grokster and eDonkey2000
-
Virus may use a new constructed file name to copy itself into the Windows\Desktop folder
-
Virus may attempt to open or close the CD tray
-
Virus contains the following text at the top of its code –
This vAndEEd0 program. worm.scorpion...
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |