W32/Spybot.AM!tr
Analysis
- Virus is 32 bit with a file size of 22,331 bytes
- If virus is run, it will copy itself into the undefinedWindowsundefined\System32
folder as "updt32v4.exe"
- The virus will also modify the registry to auto
run at Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
"Configuration update" = UPDT32V4.EXE [extra data]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Configuration update" = UPDT32V4.EXE [extra data]
-
The virus will attempt to connect to the Internet IP address 62.141.239.229 using TCP port 6001, and await instructions from a hacker or group of hackers
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |