W32/VBKrypt.MBSX!tr
Analysis
- Drops the following file:
- undefinedAppDataundefined\system32\intelgfx.exe
- This is a copy of itself with some differences at the end of the file. This is also detected as W32/VBKrypt.MBSX!tr.
- undefinedAppDataundefined\system32\intelgfx.exe
- Creates another process instance of itself, injects malicious code into it, and executes it.
- Injects malicious code into the following processes:
- svchost.exe
- explorer.exe
- Adds the following startup registry:
- key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: invidiadriver
- data: undefinedAppDataundefined\system32\intelgfx.exe
- Attempts to steal account information for the following websites or software:
- AIM
- FileZilla
- Gizmo5
- GMail
- ICQ
- IMVU
- Miranda IM
- Paltalk
- pidgin
- Trillian
- Vitalwerks No-IP
- WindowsLive
- www.dyndns.com
- www.rapidshare.com
- Yahoo Mail
- Yahoo! Messenger
- Attempts to steal stored user/password information for the following software:
- COMODO Dragon
- Google Chrome
- Internet Download Manager
- Internet Explorer
- Mozilla Firefox
- Attempts to steal server and account information for the following protocols:
- FTP
- SMTP
- It creates the file data.tmp to the Temporary folder. This is a text file that contains the stolen information, which is in the following format:
- URL,Web Browser,User Name,Password,Password Strength
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |