W32/Agent.BZR!tr.pws
Analysis
W32/Agent.BZR!tr.pws is a generic detection for a type of trojan that drops malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Agent.BZR!tr.pws may have varying behavior.
Below are examples of some of these behavior:
- A copy of the malware is dropped in the Temporary folder:
- undefinedTempundefined\[OriginalFileName].exe
- The malware applies the following registry modifications to be able to execute itself automatically:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- 1 = ""undefinedTempundefined\[OriginalFileName].exe""
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- The malware injects code into the original malware process.
- It receives traffic from certain IP addresses, such as the following:
- 173.19{Removed} on TCP port 1131
- 31.17{Removed} on TCP port 1132
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |