W32/Yaha.AF!worm
Analysis
- Virus is 32bit with a compressed size of 58,880
bytes
- Virus may be introduced to the system as an email
attachment from an infected computer, or from another
infected computer on a network
- If the virus is run, it will write itself to several
locations -
c:\Documents and Settings\All Users\
Start Menu\Programs\Startup\MSMGR32.EXE
c:\Documents and Settings\(every user account)\
Start Menu\Programs\Startup\MSMGR32.EXE
c:\WINNT\system32\EXE32.EXE
c:\WINNT\system32\MSMGR32.EXE
-
The virus will then modify the registry to auto run at Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"MsManager" = C:\WINNT\System32\MSMGR32.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MsManager" = C:\WINNT\System32\MSMGR32.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
"MsManager" = C:\WINNT\System32\MSMGR32.EXE
-
The virus will modify the registry to run the virus any time certain file types are run -
HKEY_CLASSES_ROOT\batfile\shell\open\command\
"(Default)" = "C:\WINNT\System32\EXE32.EXE""undefined1"undefined*Original value: "undefined1" undefined*
HKEY_CLASSES_ROOT\comfile\shell\open\command\
"(Default)" = "C:\WINNT\System32\EXE32.EXE""undefined1"undefined*Original value: "undefined1" undefined*
HKEY_CLASSES_ROOT\exefile\shell\open\command\
"(Default)" = "C:\WINNT\System32\EXE32.EXE""undefined1"undefined*Original value: "undefined1" undefined*
HKEY_CLASSES_ROOT\scrfile\shell\open\command\
"(Default)" = "C:\WINNT\System32\EXE32.EXE""undefined1"undefined*Original value: "undefined1" /S
-
The virus modify and create new HOSTS and LMHOSTS files on the infected system to redirect attempts to reach Microsoft and some Antivirus vendor websites -
127.0.0.1 www.symantec.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.sophos.com
127.0.0.1 www.avp.ch
127.0.0.1 www.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www3.ca.com
127.0.0.1 www.ca.com
-
The virus may attempt to browse the network looking for machines to infect by using imports from MPR.DLL to enumerate systems connected to the network
-
The virus will attempt to scavenge the hard drive and look for email addresses - addresses found are saved into a file named "msmgr32.DLL" into the undefinedWindowsundefined\System32 folder
-
The virus will construct varied emails and send them to contacts found on the infected system
Recommended Action
- Using FortiGate, enable file blocking for .EXE file extensions using IMAP, POP3, and SMTP
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |