Virus

W32/Wilab.A

Analysis

This 12,928-byte virus binds with TCP port 113 to function as a remote access Trojan. It contains instructions to spread to other computers by first sending a SYN packet to IP addresses and then uses the now common LSASS exploit [MS04-011] to gain access to the target and infect it.
This virus connects with various hard-coded IRC servers to await instructions from a malicious user and possibly function as an FTP proxy to transfer copyrighted media. The virus uses TCP port 6667 to make the connection.
Loading At Windows Startup
If this virus is run, it will register itself to run at each Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"DirectX Video Driver" = C:\WINNT\dxterm5.exe

Recommended Action

  • Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option