MSIL/CodeWall.B!tr

Analysis

MSIL/CodeWall.B!tr is a generic detection for a trojan. A trojan is a type of malware that performs activites without the user’s knowledge. Since this is a generic detection, malware that are detected as MSIL/CodeWall.B!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• Upon execution, this malware will drop copies of itself to system folders. It will create an autorun registry to maintain persistance during startup. The malware will also disable zone checking, which will prevent security dialogs from appearing, by modifying the registry key value. Finally, the malware will run the dropped file and utilize netsh.exe to add the malicious file as an allowed program to bypass the firewall.


• This malware drops the following files:
  
  • %AppData%\Roaming\Internet8.exe : This file is the copy of the original malware.
  • %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7fb67d809a0531e3b83397c642dffd76.exe : This file is the copy of the original malware.


• This malware applies the following registry modifications:
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    
    • Value: 7fb67d809a0531e3b83397c642dffd76
    • Data: ""C:\Users\A\AppData\Roaming\Internet8.exe" .."
    This automatically executes the dropped file every time any user logs on to the infected system.
    
  
  
  • HKEY_CURRENT_USER\Environment
    
    • Value: SEE_MASK_NOZONECHECKS
    • Data: "1"
    This disables zone checking.
    


• Below are images of the malware:
  

  Figure 1: Utilizing netsh.exe to bypass the firewall.

  
  


• Following are some of the exact file hashes associated with this detection:
  
  • Md5: a6bb1f8f0e3aef666f023d88e0d30fc3
    Sha256: 995bc8d3c153dac9c781ef027c029fe8cd8765084e029a0a98432c8960beceb1

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.