W32/VBKrypt.MBSX!tr

description-logoAnalysis


  • Drops the following file:
    • undefinedAppDataundefined\system32\intelgfx.exe
      • This is a copy of itself with some differences at the end of the file. This is also detected as W32/VBKrypt.MBSX!tr.

  • Creates another process instance of itself, injects malicious code into it, and executes it.

  • Injects malicious code into the following processes:
    • svchost.exe
    • explorer.exe

  • Adds the following startup registry:
    • key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: invidiadriver
    • data: undefinedAppDataundefined\system32\intelgfx.exe

  • Attempts to steal account information for the following websites or software:
    • AIM
    • FileZilla
    • Gizmo5
    • GMail
    • ICQ
    • IMVU
    • Miranda IM
    • Paltalk
    • pidgin
    • Trillian
    • Vitalwerks No-IP
    • WindowsLive
    • www.dyndns.com
    • www.rapidshare.com
    • Yahoo Mail
    • Yahoo! Messenger

  • Attempts to steal stored user/password information for the following software:
    • COMODO Dragon
    • Google Chrome
    • Internet Download Manager
    • Internet Explorer
    • Mozilla Firefox

  • Attempts to steal server and account information for the following protocols:
    • FTP
    • SMTP

  • It creates the file data.tmp  to the Temporary folder. This is a text file that contains the stolen information, which is in the following format:
    • URL,Web Browser,User Name,Password,Password Strength


recommended-action-logoRecommended Action

FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-11-22 91.09040
2023-11-20 91.08976
2022-11-28 90.08255
2022-11-03 90.07497
2022-08-25 90.05404
2022-08-02 90.04712
2022-05-27 90.02681
2022-05-25 90.02622
2022-05-12 90.02235
2022-05-12 90.02230