W32/Wallon@mm
Analysis
Specifics
This virus sends emails containing a hyperlink to its
stored Internet location to others. The email message
uses URL obfuscation in order to trick the user into
clicking the hyperlink. If a user clicks the link, they
run the risk of being sent to multiple websites and
ultimately downloading a copy of the virus from a hosting
website.
The URL obfuscation is an exploit of allowable URL format and affects systems which are not updated with MS04-013 Microsoft update patch. This vulnerability is also tracked as MHTML URL Processing Vulnerability - CAN-2004-0380.
Mass Emailing Campaign
The virus if run, will send an email message to every
contact listed in the Windows address book. The emails
are sent in HTML format like this [spaces inserted intentially
for this writeup] -
From: [smtp server name]
Subject: Re:
Body:
http : // drs.yahoo.com / (recipient email domain name)
/ NEWS
Here's an example -
From: mail.domain.com
Subject: Re:
Body:
http : // drs.yahoo.com / hotmail.com / NEWS
The link is not as the displayed link would suggest - it instead uses an obfuscation trick to redirect clicks of the hyperlink to a different website. The trick implements use of an "*" which is a starting point for the actual URL which is in the hyperlink reference HTML tag. For instance, the format of the exploit is like this -
href=http://any-domain.com/anything/anything/*http://the-real-domain.com/anything/anything
Clicking the link in the email message will visit a
web page which redirects to numerous sites and finally
downloading then running a copy of the virus. The virus
is hosted on a yahoo controlled user domain account.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, add the IP address
213.4.130.210 to the list of URLs to block
- Ensure affected systems are updated with the lastest
Microsoft patches, or at a minimum updated with MS04-013
Microsoft update patch
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |