W32/Agent.JD!worm - Released Oct 25, 2008 - Last Updated Oct 27, 2008
|
Alias/esWorm.Win32.Agent.jd(KAV), PAK_Generic.001(Trend), Worm:W32/AutoRun.IU(F-secure) |
Detection Availability
|
Visible SymptomsDeletes itself from the current directory.
The following files exist under the %ProgramFiles%\Microsoft Common folder.
|
Detailed Analysis
The behavior of this variant is very similar to W32/Agent.5190!tr.dldr.
It downloads files from the following URLs:
- http://dru{removed}.ru/ld.php?v=1&rs=%u&uid=1
- http://dru{removed}.ru/ld.php?v=1&id=%s&rs=%u&cc=0&uid=1
- http://dru{removed}.ru/ld.php?v=1&rs=%u&n=1&uid=1
- http://dru{removed}.ru/ld.php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1
- http://dri{removed}.ru/ld.php?v=1&rs=%u&uid=1
- http://dri{removed}.ru/ld.php?v=1&id=%s&rs=%u&cc=0&uid=1
- http://dri{removed}.ru/ld.php?v=1&rs=%u&n=1&uid=1
- http://dri{removed}.ru/ld.php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
