W32/Generic.AR!tr
Analysis
W32/Generic.AR!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Generic.AR!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware drops the following files:
- undefineddesktopundefined\game.exe : This file is a copy of the original malware itself.
- undefineddesktopundefined\game.exe:zone.identifier : This file is detected as W32/Generic.AR!tr.
- undefinedTempundefined\windowz.exe : This file is a copy of the original malware itself.
- undefinedStartUpundefined\9f7f2173619f650345ea1ca6aab1e770.exe : This file is a copy of the original malware itself.
- undefinedsystemdriveundefined\pornpic.scr : This file is a copy of the original malware itself.
- undefinedAppDataundefined\Local\Temp\Update.txt : This text file contains the exact path for the malware.
- The malware attempts to connect to the following sites:
- spr2{Removed}.ze.am
- gkgk554{Removed}.codns.com
- 8{Removed}.208.230.159
- Some of these malwares have been observed to be corrupted or none functioning.
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- 9f7f2173619f650345ea1ca6aab1e770 = \undefinedAppDataundefined\local\temp\windowz.exe\ ..
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
- 9f7f2173619f650345ea1ca6aab1e770 = \undefinedAppDataundefined\local\temp\windowz.exe\ ..
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- The original copy of the malware may be deleted after execution.
- The malware may try to hide itself.
- The malware may try to shutdown system.
- The malware may try to install itself or copy in system folder.
- This malware may check the registry as part of its anti-virtualization or anti-debugging techniques.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |