Virus

W32/Lemoor.A

Analysis

Specifics
This virus listens for communication from a W32/Sasser infected system and then directly targets that system. The virus will attempt to infect the Sasser-infected system by exploiting a buffer overflow in the FTP functionality of the Sasser virus.
The virus hides its activity if it discovers a tracing program or utility debugger is being used. This is handled by the import "IsDebuggerPresent".
Once a system is targeted and successfully infected, the virus will then wait for communication from systems infected by Sasser.
Loading at Windows Startup
If this virus is run, it will register itself to load from this registry key -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"[Ephemeral 2.4] by TreeHugger, " = *path/filename*

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option