W32/Simda.B!tr
Analysis
- It drops the following files:
- undefinedTempundefined\[Number].sys : This is a data file.
- undefinedAppDataundefined\ScanDisc.exe : This is a copy of the original file.
- undefinedWindowsundefined\AppPatch\[Random].exe : This is a copy of the original file.
- It adds the following registry entry to automatically execute itself whenever the infected user logs on:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- userinit = "undefinedWindowsundefined\AppPatch\[Random].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- It tries to access the following URLs:
- http://217.{Removed}.126/chrome/report.html
- http://update1.jer{Removed}.in
- It deletes the original malware file from the current folder.
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |