VirusW32/SDBot.J!worm
Analysis
- Copies itself to the System folder as F1REF0X.EXE.
Autostart Mechanism
- Adds the following value:
Mozilla Firefox = "F1REF0X.EXE"
to the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Backdoor and/or Trojan Behavior
- Opens a backdoor on TCP port 113.
- Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
- Perform basic IRC commands
- Download and execute files
- Update or remove itself
- Scan for vulnerable computers
- Send confidential information, such as user names, passwords, etc., to the remote user
- List and terminate services and processes
- Initiate distributed denial of service (DDoS) attacks
- Logs keystrokes
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |