virus logo Virus

W32/FakeAV.BW!tr

description-logoAnalysis



W32/FakeAV.BW!tr is a sample variant issued by the Sasfis botnet. A detailed description and analysis of the Sasfis botnet can be viewed at the following URL: Sasfis Detailed Description.

Technical Details


  • Drops the following file:
    • undefinedSYSTEMundefined\nnfj.tqo

    This file is detected as W32/Sasfis.AJIL!tr. It connects to the Sasfis Command and Control (C&C) server and awaits instructions, so behavior may vary. As of this writing, it attempts to download a rogue anti-spyware called Antivirus XP 2010  or XP Internet Security 2010.

  • Modifies the following registry entry:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
        from: Shell = "Explorer.exe"
        to: Shell = "Explorer.exe rundll32.exe nnfj.tqo nhemkk"



recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-11-20 91.08976
2022-10-18 90.07000
2021-12-07 89.07553
2021-11-23 89.07133
2021-11-09 89.06714
2021-10-12 89.05880
2021-10-12 89.05857
2021-09-10 89.00120
2021-09-07 88.00941
2021-08-24 88.00595
ID 1035378
Released Sep 15, 2009
Description
Updated		 Mar 29, 2010
Aliases PE_Patch.UPX (KAV), Mal/FakeAV-BW (Sophos)
Platform Profile Win32 file format / PE 32 bit