Virus

JS/Agent.NDSW!tr

Analysis

JS/Agent.NDSW!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as JS/Agent.NDSW!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

This malware is an obfuscated/injected JS file that uses an observed common variable name found amongst all its variants set initially to "undefined".

Below are some of the sites to which some of the samples observed tried to connect to:
- fshmakin[removed].com/fshmaki[removed].php
- bukuip[removed].co.id/wp-admin/css/colors/blue/blue.php
- miskininka[removed].eu/wp-admin/css/colors/blue/blue.php
- cepekrandegi[removed]admin/css/colors/blue/blue.php
- edulearntechnol[removed]om/acc/admin/classes/local/settings/settings.php

Following are some of the exact file hashes associated with this detection:
- Md5:0038536E7A2C7E0A33ECCE977E146594
  Sha256:5fa4bd2ab99c74c3db9cc3e6c200f0572e868a8d10f795cee459a3a794e8f1fd
- Md5:73438BFD4E605C1DD50D3B73FE9E60B0
  Sha256:46ca86c9234b1b7d252f2a5b3a9a5d6f42d566d6f7abb64939ba87bd4d3d68c6
- Md5:D60D52BC2D30D503996FB850FA82AB64
  Sha256:4c4ff3158764f80de0fdaf8d484f7f35d551f500e021519c7c6e8c0b027e0051

Recommended Action

Make sure that your FortiGate/FortiClient system is using the latest AV database.
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date	Version	Detail
2024-03-11	92.02346
2024-03-11	92.02345
2024-01-19	92.00790
2023-12-08	91.09540
2023-11-06	91.08560
2023-10-18	91.07987
2023-10-10	91.07737
2023-10-03	91.07530
2023-10-03	91.07527
2023-09-30	91.07440