W32/AGbot.AB!tr
Analysis
W32/AGbot.AB!tr is a generic detection for a a type of trojan that establishes network communication with a remote server through an Internet Relay Chat (IRC) channel. Since this is a generic detection, files that are detected as W32/AGbot.AB!tr may have varying behavior.
Below are examples of some of these behavior:
- It creates a mutex named ragebot to make sure that only one instance of itself is running.
- It drops a copy of itself to the following folder:
- undefinedCommonFilesundefined\System In some samples, the name of the dropped copy is ragebot.exe. In other samples, the name is randomized.
- It creates the following autorun registry entry:
- key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: Windows Update
- data: undefinedCommonFilesundefined\System\[DroppedCopy].exe
- The infected system is observed to receive TCP traffic from addresses such as:
- 64.32{Removed} on port 6667 : This is the default port for IRC.
- 83.21{Removed} on port 6676
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |