Virus

W32/Simda.B!tr

Analysis

It drops the following files:
- undefinedTempundefined\[Number].sys : This is a data file.
- undefinedAppDataundefined\ScanDisc.exe : This is a copy of the original file.
- undefinedWindowsundefined\AppPatch\[Random].exe : This is a copy of the original file.

It adds the following registry entry to automatically execute itself whenever the infected user logs on:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  - userinit = "undefinedWindowsundefined\AppPatch\[Random].exe"

It tries to access the following URLs:
- http://217.{Removed}.126/chrome/report.html
- http://update1.jer{Removed}.in

It deletes the original malware file from the current folder.

Recommended Action

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems

Quarantine/delete files that are detected and replace infected files with clean backup copies.

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date	Version	Detail
2024-04-09	92.03221
2024-03-26	92.02792
2023-10-24	91.08167
2023-10-18	91.07987
2023-09-12	91.06894
2023-07-30	91.05580
2023-06-20	91.04373
2023-06-13	91.04163
2023-06-06	91.03953
2023-05-30	91.03736

ID	3654189
Released	Mar 23, 2012
Description Updated	Nov 14, 2012
Aliases	Trojan-Downloader.Win32.Agent.wlrs (KAV), Win32/Simda.B trojan (NOD32)
Platform Profile	Win32 file format / PE 32 bit