W32/Zafi.C@mm
Analysis
This virus is 32-bit with a packed file size of 15,993 bytes. The virus contains instructions to spread via SMTP and to copy itself to folders with certain names in their title.
This virus will harvest email addresses from files with these extensions; htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr.
The virus avoids selecting addresses which may have these names represented in the domain portion of the address -
info,help,aol,webm,micro,msn,hotmail.co,suppor,syma,vir,trend,
panda,hoo.com,cafee,sopho,google,kasper
The virus writes email addresses found to short text files in the System32 folder as files named like this -
svchost.co1
svchost.co2
svchost.co3
and so on.
Loading at Windows startup
The virus will register itself to run at each Windows startup by creating this registry key and value -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
_svchost.con = C:\Winnt\System32\svchost.com
Miscellaneous
The virus contains code to initiate a denial of service attack against three web sites -
google.com
microsoft.com
www.miniszterelnok.hu
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |