W32/Lamin.B
Analysis
- Virus is 32bit with a viral body of 32,924 bytes
- The virus infects 32bit files on the local system
and also runs as a remote access Trojan allowing hackers
the ability to connect with the infected system and
send IRC commands to the system
- The virus may be introduced to the system from another
infected user across a network share, or from an infected
IRC user
- If the virus is run, it may terminate applications
or services related to Antivirus programs or firewall
programs such as ZoneAlarm
- The virus will then infect other EXE files on the
local system - infected files will grow by at least
32,000 bytes, but in some cases, the increase is as
much as 36,000 bytes
- The virus code is appended to infected files, and
the entry point of the infected file is modified to
point directly into the virus code
- When the virus code finishes running, it passes
control back to the host program
- Although infected files grow in size, the time
and date stamp is not modified, therefore searching
for files modified in the last day will not display
files which have become infected
- The virus will write a .DLL file with a random
file name to the local system and modify the registry
to load the virus at next Windows startup, as in this
example -
HKEY_CLASSES_ROOT\CLSID\
{52F7FFDF-D0CF-5CC3-5F4F-C6D8F7D65F0D}\InProcServer32\
"(Default)" = C:\WINNT\System32\Ldidghgj.dll
"ThreadingModel" = Apartment
-
The virus may write its code in encrypted format as a random file name to two locations -
undefinedTempundefined\aliypqht.vcu (31,964 bytes)
undefinedWindowsundefined\system32\Ldidghgj.dll (31,964 bytes)
-
The virus will run a DNS query for several IRC servers in order to identify a usable IP address for connecting -
IRC.DAL.NET
IRC.ARKHNET.COM
IRC.RTDPTRX.ES
POWERTECH.NO.EU.DAL.NET
-
The virus will connect with one of these servers using TCP port 6667 and await commands from the channel
Recommended Action
- If IRC chat is not used in your organization, disallow
connections to the following web addresses using the
URL block feature of FortiGate -
IRC.DAL.NET
IRC.ARKHNET.COM
IRC.RTDPTRX.ES
POWERTECH.NO.EU.DAL.NET
-
If IRC chat is not used in your organization, disallow connections from
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |