Virus

W32/Mantibe

Analysis

  • Virus is 32bit with a compressed file size of 57,603 bytes and was coded using Visual Basic 6
  • Virus relies on the VB Runtime Library file MSVBVM60.DLL in order to be a threat
  • If the virus is run, it may copy itself into the %Windows%\System folder by the same filename (such as "beso.jpg.exe") and will then modify the registry to load at Windows startup as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "Mantis" = C:\Windows\System\beso.jpg.exe

  • The virus may display an image to the desktop with a title of "beso" - the image is of two females embraced in a kiss - the image can be closed without incident

  • After the system becomes infected and the host is restarted, the virus will load from the registry and attempt to copy itself to floppy disks which are used on the infected system - the virus will copy itself as "a:\beso.jpg.exe"

  • The virus may create text files used for temporary storage onto the infected system as -

    c:\Ascii.txt
    c:\w12.txt