W32/Sality.Q
Analysis
undefinedSystemDirundefined\vcmgcd32.dl_
undefinedSystemDirundefined\vcmgcd32.dll
all of the above files are instances of W32/Sality infected variants. File asn1sys.exe attempts to connect to www.mapheadstart.org by listening to random ports and connects through the remote port 6667. There are some known slight variants in the wild that drops the following files also:
C:\wpincheg32.exe
undefinedTempFolderundefined\windvfcf.exe
undefinedTempFolderundefined\winwmhi.exe
File windvfcf.exe is flagged as a W32/Agent.AMT!tr
Asn1 Security Systems="asn1sys.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Asn1 Security Systems="asn1sys.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Asn1 Security Systems="asn1sys.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Asn1 Security Systems="asn1sys.exe"
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "
Allow Push Update" option
- Quarantine/Delete infected files detected and replace
infected files with clean backup copies
FortiGate systems:
FortiClient systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |