W32/Ska.A@m
Analysis
- Virus is 32bit, with a size of 10,000 bytes
- Virus will attempt to patch WSOCK32.DLL
- When virus is first executed, it copies itself
to Windows\System as "Ska.exe" and then
writing a file "Ska.dll" to the same
folder
- Virus then copies existing WSOCK32.DLL as WSOCK32.SKA
- Virus modifies the registry in order to load
at Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce\
Ska.exe = Ska.exe - After a Windows restart, SKA.EXE patches WSOCK32.DLL,
which calls routines in SKA.DLL in order to monitor
sending emails via SMTP and posting news via NNTP.
- When virus is first executed, it copies itself
to Windows\System as "Ska.exe" and then
writing a file "Ska.dll" to the same
folder
- When a user sends an email from an infected system
to someone, an additional email will be sent from
the infected system to the same recipient with an
attachment named "Happy99.exe".
- The virus adds the email address that received
the virus into a text file named "liste.ska".
- When a user sends a news post to USENET via NNTP,
this virus will send an additional post with an attachment
named "Happy99.exe".
Recommended Action
- Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |