W32/Traxg.A@mm
Analysis
Specifics
This 32-bit threat contains instructions to send itself
to other contacts listed in the Windows address book.
This virus may exist as a .COM file on the infected
system, located in the undefinedWindowsundefined\Fonts\ folder. The
virus may also copy itself to the A: drive as "Explorer.exe".
Load At Windows Startup
If the virus is run, it copies itself into the undefinedWinodwsundefined\Fonts
folder as a random name such as "52657.com".
The virus then registers itself to run each time Windows
starts -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"TempTom" = C:\WINNT\FONTS\52657.com
Email Spread Capability
The virus searches for target email addresses by scanning
the Windows address book. For each email found, the
virus composes an email message and attaches a copy
of itself as "document.exe"
Miscellaneous
The virus has a file icon that looks like a folder -
this could trick an unwary user into double clicking
the file to view the contents of a folder, but instead
it activates the virus. This virus was coded using Visual
Basic 6.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, enable blocking of .EXE files across SMTP, POP3 and IMAP
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |