W32/Agent.IW!tr
Analysis
Upon infection, the malware drops the 2 following files: C:\WINDOWS\System\svchost.exe C:\WINDOWS\System\svchosthook.dll Immediatly after, it deletes itself. The first file dropped is just a copy of the malware, while the .dll is injected into the explorer.exe process. As a matter of course, this dll features malicious code; injection in explorer.exe makes the malware harder to detect or to terminate for users (some mat say "more stealth"), since therefore, it doesn't appear in the system task list. Also, deleterious actions may be performed under the name of the supposedly legit process explorer.exe. The malicious code tries to connect to bnsec.infectedhost.net on ports 1025 and 1030 to retrieve further orders, while a backdoor is opened on a higher TCP port.
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |