W32/Agent.BZR!tr.pws

Analysis

W32/Agent.BZR!tr.pws is a generic detection for a type of trojan that drops malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Agent.BZR!tr.pws may have varying behavior.
Below are examples of some of these behavior:

• A copy of the malware is dropped in the Temporary folder:
  
  • undefinedTempundefined\[OriginalFileName].exe


• The malware applies the following registry modifications to be able to execute itself automatically:
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    
    • 1 = ""undefinedTempundefined\[OriginalFileName].exe""


• The malware injects code into the original malware process.


• It receives traffic from certain IP addresses, such as the following:
  
  • 173.19{Removed} on TCP port 1131
  • 31.17{Removed} on TCP port 1132

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.