Virus Prevalence
Of Fortinet devices world-wide, 10.46% reported new detections of this virus last month
Of Fortinet devices world-wide, 10.46% reported new detections of this virus last month
Detailed Analysis
- Upon execution, it drops the following files:
- %AppData%\[RandomFilename_1].exe : This file is also detected as W32/Lockscreen.LOA!tr.
- %AppData%\[RandomFilename_2].exe : This file detected as W32/Kryptik.BYA!tr.
- There are other data files dropped in the user's Application Data folder that are randomly named and do not have extension names. These files are non-malicious.
- The malware was observed to perform DNS queries to:
- www.smsdomoj.de
- ns23824.ovh.net
- aby.kaneza.com
- virtualspace.ru
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\[RandomReg_1]
- [RandomReg_3] = [HexValues], e.g., hex:a1,49,3f,8d,6a,6f,6e,81,84,4a,c9,0b,2b,a2,ab,eb...
- HKEY_CURRENT_USER\Software\[RandomReg_2]
- [RandomReg_4] = [HexValues], e.g., hex:a1,49,3f,8d,6f,7c,72,91,d5,4a,c9,0b...
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- [RandomReg_1] = %AppData%\[RandomFilename_1].exe
- [RandomReg_2] = %AppData%\[RandomFilename_2].exe These registry entries enable the dropped files to be automatically executed every time the infected user logs on.
- HKEY_CURRENT_USER\Software\[RandomReg_1]
- The malware file uses the Word Document icon.
Removal Instructions
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems - Quarantine/delete files that are detected and replace infected files with clean backup copies.
No comments:
Post a Comment