W32/Agent.VJT!tr.dldr

Analysis

Drops a file in the undefinedWINDOWSundefined folder as {Four Random Lowercase Characters}.exe, then executes it. The dropped file will delete itself after executing.

Drops a file as undefinedWINDOWSundefined\system32\drivers\ntdapi.sys  and starts it as the service Ntdapi, then deletes this file.

Downloads a list of malicious URLs from the following URL and saves it as c:\tmp.dat:

• http://down.{Removed}.cn/ko.txt

It then downloads files from the list to the undefinedSYSTEMundefined folder and executes them.

Copies the file undefinedWINDOWSundefined\explorer.exe  to undefinedSYSTEMundefined\explorer.exe  and overwrites the file undefinedWINDOWSundefined\explorer.exe  with malicious code.

Terminates the following processes:

• 360TRAY.EXE
• ekrn.exe
• egui.exe
• nod32krn.exe
• nod32kui.exe

Attempts to disable the following services:

• ekrn
• NOD32krn

Deletes the file QQDoctor.exe  in the QQDoctor Install Path.

It deletes itself from the current directory.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.