W32/FakeAlert.LM!tr.dldr - Released Nov 14, 2008 - Last Updated Nov 17, 2008
|
Alias/esTrojan.Win32.Agent.anfb(KAV), Worm.Autorun.BTD(Virusbuster), Spy-Agent.bw(McAfee) |
Detection Availability
|
Visible SymptomsDeletes itself from the current directory.
The following file exists under the %ProgramFiles%\Microsoft Common folder.
|
Detailed Analysis
Creates a copy of itself to the %ProgramFiles%\Microsoft Common folder as svchost.exe.
Downloads files from the following URLs:
- http://fur{REMOVED}.ru/load2/ld.php?v=1&rs={RANDOM}{RANDOM}&uid=1
- http://fur{REMOVED}.ru/load2/ld.php?v=1&id={RANDOM}&rs={RANDOM}{RANDOM}&cc=0&uid=1
- http://fur{REMOVED}.ru/load2/ld.php?v=1&rs={RANDOM}{RANDOM}&n=1&uid=1
- http://fur{REMOVED}.ru/load2/ld.php?v=1&id={RANDOM}&rs={RANDOM}{RANDOM}&n=1&cc=0&uid=1
- http://fur{REMOVED}.ru/load2/ld.php?v=1&rs={RANDOM}{RANDOM}&uid=1
- http://fur{REMOVED}.ru/load2/ld.php?v=1&id={RANDOM}&rs={RANDOM}{RANDOM}&cc=0&uid=1
- http://fur{REMOVED}.ru/load2/ld.php?v=1&rs={RANDOM}{RANDOM}&n=1&uid=1
- http://fur{REMOVED}.ru/load2/ld.php?v=1&id={RANDOM}&rs={RANDOM}{RANDOM}&n=1&cc=0&uid=1
The behavior of this variant is very similar to W32/Agent.5190!tr.dldr . For more information, please see the description for W32/Agent.5190!tr.dldr.
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
