W32/Zbot.FG!tr
Analysis
W32/Zbot.FG!tr is classified as a Trojan. Trojans have capabilities such as remote access connection handling, performing Denial of Service (DoS) or Distributed DoS (DDoS) attacks, capturing keyboard input, deleting files or objects, or terminating processes.
- undefinedSYSTEMundefined\lowsec\
- undefinedSYSTEMundefined\lowsec\local.ds
- undefinedSYSTEMundefined\lowsec\user.ds
- undefinedSYSTEMundefined\lowsec\user.ds.lll
- undefinedSYSTEMundefined\sdra64.exe
To automatically execute the file sdra64.exe whenever Windows starts:To terminate the Windows firewall service:
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- value: Userinit
- data: undefinedSYSTEMundefined\sdra64.exe
- key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
- value: EnableFirewall
- data: 0
- grafjasqq.[removed]
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |