W32/Agent.IW!tr

description-logoAnalysis

Upon infection, the malware drops the 2 following files: C:\WINDOWS\System\svchost.exe C:\WINDOWS\System\svchosthook.dll Immediatly after, it deletes itself. The first file dropped is just a copy of the malware, while the .dll is injected into the explorer.exe process. As a matter of course, this dll features malicious code; injection in explorer.exe makes the malware harder to detect or to terminate for users (some mat say "more stealth"), since therefore, it doesn't appear in the system task list. Also, deleterious actions may be performed under the name of the supposedly legit process explorer.exe. The malicious code tries to connect to bnsec.infectedhost.net on ports 1025 and 1030 to retrieve further orders, while a backdoor is opened on a higher TCP port.

recommended-action-logoRecommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-03-18 92.02564
2024-03-11 92.02346
2024-03-02 92.02073
2024-01-29 92.01084
2024-01-21 92.00851
2024-01-20 92.00830
2023-09-12 91.06894
2023-07-29 91.05536
2023-07-29 91.05535
2023-06-06 91.03953