• Virus is 32bit and infects files on Windows 95/98/ME operating systems by appending its code to them
  • Virus runs memory resident on Windows 9x systems by patching KERNEL32.DLL and copying the infected file to the Windows folder
  • When Windows restarts, files accessed become infected
  • Virus may attempt to listen on TCP port 6667 acting as an IRC bot awaiting instructions from a hacker or group of hackers
  • Instructions could include joining channels, sending PING requests to IP addresses and also removing the bot

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option