W32/Weird.A
Analysis
This is a 32-bit virus designed to infect other EXE files on the compromised system. Infected files increase in size by 14Kb but the system time and date of the file does not change.
KERNEL32.DLL Replacement
This virus seeks to replace KERNEL32.DLL with a patched/infected copy. W32/Weird
accomplishes this by replacing the existing copy with a modified and infected
copy if the system is restarted / rebooted. The virus writes the infected copy
as "KERNEL32.A" into the undefinedSystemundefined folder and creates a config file
named "wininit.ini" to replace the good copy with the infected copy.
Miscellaneous
Sometimes an infected file will have a marker in the PE header, indicating the
virus had infected the file -
Coded by Weird
Infected files are identified as "W32/Weird.A".
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |