W32/FakeAV.BW!tr
Analysis
W32/FakeAV.BW!tr is a sample variant issued by the Sasfis botnet. A detailed description and analysis of the Sasfis botnet can be viewed at the following URL: Sasfis Detailed Description.
Technical Details
- Drops the following file:
- undefinedSYSTEMundefined\nnfj.tqo
This file is detected as W32/Sasfis.AJIL!tr. It connects to the Sasfis Command and Control (C&C) server and awaits instructions, so behavior may vary. As of this writing, it attempts to download a rogue anti-spyware called Antivirus XP 2010 or XP Internet Security 2010. - Modifies the following registry entry:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
from: Shell = "Explorer.exe"
to: Shell = "Explorer.exe rundll32.exe nnfj.tqo nhemkk"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |