• Virus is 32bit, with a compressed size of 44,544 bytes
  • Virus icon resembles that of a TXT file associated with Notepad
  • Virus may search the following list and attempt to terminate several Antivirus or firewall related applications, based on a table of names
  • Virus may copy itself to the Windows\System folder as “exeLoader.exe”, and modify the registry to run this any time an EXE file is run –

    (Default) = ““C:\Windows\System\exeLoader.exe””undefined1“undefined*

    * original value for above was
    (Default) = “undefined1” undefined*

  • Virus modifies the registry to run at Windows startup –

    Windows Task = C:\Windows\System\wintask32.exe

    Windows Task = C:\Windows\System\wintask32.exe

  • Virus will create additional keys in the system registry –
    Author = R0xx
    Comments = This system belongs to the great Indians…
    Version = 2.01 Beta
    Web =
    (Default) =

  • HKEY_LOCAL_MACHINE\Software\Microsoft\WinVer\
    (Default) = xbthsn

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text

  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option