W32/DistTrack.A!tr
Analysis
- Upon execution, it drops the following files:
- [CurrentFolder]\f1.inf : This is a non-malicious text file containing a list of files whose contents have been overwritten with a JPEG file.
- [CurrentFolder]\f2.inf : This is a non-malicious text file containing a list of some files that are in the infected system.
- undefinedWindowsundefined\inf\netfb318.pnf : This is a non-malicious file that contains just one byte.
- undefinedSystemundefined\drivers\drdisk.sys : This is a non-malicious disk driver.
- undefinedSystemundefined\smbinit.exe : This is a malicious file detected as W32/EraseMBR.A!tr.
- undefinedSystemundefined\trksvr.exe : This is a copy of the original file.
- It creates a service named TrkSvr with the ALL_ACCESS parameter using trksvr.exe, the dropped copy of itself in the System folder. The display name for the newly created service is "Distributed Link Tracking Server".
- For the TrkSvr  service, it creates the registry entry HKLM\SYSTEM\CurrentControlSet\Services\TrkSvr. Some registry values are shown below:
- Figure 1: Registry values of the TrkSvr service.
- The malware applies the following additional service-related registry modifications:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drdisk
- ImagePath = "Systemundefined\Drivers\drdisk.sys"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkSvr\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drdisk
- It overwrites various files in the infected host with a JPEG file.
- It also deletes files in the System folder that have the following filenames:
- Figure 2: Files in the System folder that are deleted.
- This malware also issues the following command line:
- "undefinedSystemundefined\cmd.exe /c sc start drdisk2>&1 >nul"
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |