This application requires Javascript for optimal performance.

W32/Agent.C659!tr.dldr - Released Nov 16, 2009 - Last Updated Nov 19, 2009

Alias/es

Trojan:Win32/Oficla.E(Microsoft), Win32/Oficla.BL(NOD32), Trojan.Win32.Sasfis.vbw(Kaspersky)

Visible Symptoms

.
  • The following file exists:
    • %system%\wdni.buo

    Detailed Analysis


    W32/Agent.C659!tr.dldr is classified as a downloader trojan.

    Downloader Trojan has the capability to download other malicious files or an updated version of itself.

  • It drops the following file:
    • %system%\wdni.buo
  • It adds the following registry:
    • key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid
  • It modifies the following registry:
    • key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • value: Shell
  • It tries to access the following URL:
    • http://19[REMOVED]7.91

    Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 1126541