W32/Traxg.A@mm

description-logoAnalysis


Specifics
This 32-bit threat contains instructions to send itself to other contacts listed in the Windows address book. This virus may exist as a .COM file on the infected system, located in the undefinedWindowsundefined\Fonts\ folder. The virus may also copy itself to the A: drive as "Explorer.exe".


Load At Windows Startup
If the virus is run, it copies itself into the undefinedWinodwsundefined\Fonts folder as a random name such as "52657.com". The virus then registers itself to run each time Windows starts -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"TempTom" = C:\WINNT\FONTS\52657.com


Email Spread Capability
The virus searches for target email addresses by scanning the Windows address book. For each email found, the virus composes an email message and attaches a copy of itself as "document.exe"


Miscellaneous
The virus has a file icon that looks like a folder - this could trick an unwary user into double clicking the file to view the contents of a folder, but instead it activates the virus. This virus was coded using Visual Basic 6.


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, enable blocking of .EXE files across SMTP, POP3 and IMAP

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR