virus logo Virus

W32/Generic.AR!tr

description-logoAnalysis



W32/Generic.AR!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Generic.AR!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware drops the following files:
    • undefineddesktopundefined\game.exe : This file is a copy of the original malware itself.
    • undefineddesktopundefined\game.exe:zone.identifier : This file is detected as W32/Generic.AR!tr.
    • undefinedTempundefined\windowz.exe : This file is a copy of the original malware itself.
    • undefinedStartUpundefined\9f7f2173619f650345ea1ca6aab1e770.exe : This file is a copy of the original malware itself.
    • undefinedsystemdriveundefined\pornpic.scr : This file is a copy of the original malware itself.
    • undefinedAppDataundefined\Local\Temp\Update.txt : This text file contains the exact path for the malware.

  • The malware attempts to connect to the following sites:
    • spr2{Removed}.ze.am
    • gkgk554{Removed}.codns.com
    • 8{Removed}.208.230.159

  • Some of these malwares have been observed to be corrupted or none functioning.

  • The following registry modifications are applied:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • 9f7f2173619f650345ea1ca6aab1e770 = \undefinedAppDataundefined\local\temp\windowz.exe\ ..
      This automatically executes the dropped file every time the infected user logs on.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
      • 9f7f2173619f650345ea1ca6aab1e770 = \undefinedAppDataundefined\local\temp\windowz.exe\ ..
      This registry corresponds to an autostart pointed out by windows for every restart of the host machine.

  • The original copy of the malware may be deleted after execution.

  • The malware may try to hide itself.

  • The malware may try to shutdown system.

  • The malware may try to install itself or copy in system folder.

  • This malware may check the registry as part of its anti-virtualization or anti-debugging techniques.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-05-31 90.02802
2022-05-25 90.02622
2021-06-15 86.00934
2021-06-08 86.00766
2021-06-01 86.00601
2021-05-04 85.00929
2021-04-20 85.00593
2021-04-13 85.00424
2021-04-01 85.00134
2021-03-25 84.00977
ID 3586459
Released Feb 25, 2012
Description
Updated		 Sep 15, 2017
Aliases TROJ_GEN.R02DC0DIC17, Gen:Heur.MSIL.Krypt.2, MSIL/Bladabindi.AR worm, RDN/Generic Dropper trojan, TROJ_GEN.R002C0DIE17, Troj/MSIL-KIC, Gen:Heur.MSIL.Krypt.4, MSIL/Agent.AR worm, RDN/Generic.hbg trojan, Gen:Heur.MSIL.Bladabindi.1, TROJ_GEN.R002C0GIC17, Win3
Platform Profile Win32 file format / PE 32 bit