W32/AGbot.AB!tr

description-logoAnalysis


W32/AGbot.AB!tr is a generic detection for a a type of trojan that establishes network communication with a remote server through an Internet Relay Chat (IRC) channel. Since this is a generic detection, files that are detected as W32/AGbot.AB!tr may have varying behavior.
Below are examples of some of these behavior:

  • It creates a mutex named ragebot  to make sure that only one instance of itself is running.

  • It drops a copy of itself to the following folder:
    • undefinedCommonFilesundefined\System
    • In some samples, the name of the dropped copy is ragebot.exe. In other samples, the name is randomized.

  • It creates the following autorun registry entry:
    • key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: Windows Update
    • data: undefinedCommonFilesundefined\System\[DroppedCopy].exe

  • The infected system is observed to receive TCP traffic from addresses such as:
    • 64.32{Removed} on port 6667 : This is the default port for IRC.
    • 83.21{Removed} on port 6676

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2024-01-22 92.00882
2023-12-09 91.09575
2021-05-19 86.00293
2021-04-27 85.00761
2021-04-13 85.00424
2021-01-25 83.55700 Sig Updated
2021-01-25 83.55400 Sig Updated
2021-01-19 83.40900 Sig Updated
2020-10-26 81.37700 Sig Added