This 32-bit virus pretends to be an installable file from Microsoft. When it is first run, a splash screen logo is displayed, giving the virus the appearance that it is an official Microsoft update executable. Next the virus displays a fake dialogue box with only one choice -

Microsoft Windows Update

Click Yes For Update Microsoft Outlook via E-mail


To continue the trickery, the virus opens Internet Explorer web browser to Microsoft's security update page, as in this example -

This virus contains a mass-mailing routine where the virus sends a copy of itself to others using Outlook.

Kazaa P2P Sharing Propagation
This virus will also make itself available to others using the P2P file sharing program Kazaa, by copying itself into the shard folder for that application. These are some of the file names the virus may copy itself as -

C:\Program Files\Kazaa\My Shared Folder\50 Cent - In da Club.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Anastacia - Left Outside Alone.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Black Eyed Peas - Hey Mama.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Haiducii - Dragostea Din Tei.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Lionel Richie - Just For You.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Pipponoto.exe
C:\Program Files\Kazaa\My Shared Folder\Raf - In tutti i miei giorni.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Rosy.exe
C:\Program Files\Kazaa\My Shared Folder\The Rasmus - In The Shadows.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Vanessa Carltron - Ordinary Day.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Vasco Rossi - Buoni e cattivi.mp3.exe

Loading at Windows Startup
This virus will register itself to load at Windows startup by modifying the registry -

"(Default)" = WINDOWS\system32\NonYou.exe

"(Default)" = WINDOWS\system32\nstdnrdll32.vbs

Lowering of Outlook Attachment Security
The virus modifies the registry in an attempt to lower the security settings for MS Outlook regarding the handling of unsafe attachments. The virus modifies the registry with these settings -

"Level1Remove" = exe
"Level1Remove" = exe
"Level1Remove" = exe

The last two PE sections of this virus have these names -


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option