W32/Agent.HD!tr
Analysis
This Trojan installs itself as a file named "iejava.exe" onto the local system in the undefinedSystemundefined folder. It tries to notify (presumably) the Trojan author using a server-side script that uploads the IP address and TCP port in use by the Trojan. The TCP port used by the Trojan is selected at random.
Loading at Windows startup
The Trojan installs itself to the undefinedSystemundefined folder and adds an entry into the
registry to load the Trojan -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"IE Java Update" = C:\WINNT\System32\iejava.exe
Server Connection Attempts
The Trojan tries to connect to two domains and run server-side scripts to upload
to a log file the IP address and TCP port used. The domains were not reachable
at the time of this writing. The URLs involved are the following -
http://ole.reallynice.info/sysupdate.php/?p=
http://user.reallynice.info/sysupdate12.php/?p=
http://kernel.reallynice.info/sysupdate12.php/?p=
http://win32.reallynice.info/sysupdate12.php/?p=
http://os.reallynice.info/sysupdate12.php/?p=
http://win32.simpleyetgood.com/sysupdate4f.php/?p=
http://os.simpleyetgood.com/syswinupdate33.php/?p=
http://ole.simpleyetgood.com/sysupdate2a.php/?p=
http://msp.simpleyetgood.com/sysosupdate1.php/?p=
http://msup.simpleyetgood.com/sysoleupdate.php/?p=
Miscellaneous
Using a command line tool courtesy of Sysinternals.com, the open port in use
by the Trojan can be detected easily -
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
- Quarantine/Delete infected files detected and replace
infected files with clean backup copies
FortiGate systems:
FortiClient systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |