W32/Agent.GBS!tr.dldr

Analysis

W32/Agent.GBS!tr.dldr is classified as a downloader trojan.
Downloader Trojans have the capability to download other malicious files or updated versions of themselves.

It creates the following folder:

• C:\Documents and Settings\LocalService\Application Data\sysproc64

It then drops the following file under the newly created folder:

• sysproc32.sys

It creates the following folder under the System folder:

• sysproc64

It then drops the following files under the newly created folder:

• sysproc32.sys
• sysproc86.sys

It drops the following file in the System folder:

• oembios.exe

It attempts to terminate the firewall or other security applications, including antivirus monitors.

It modifies the following registry:

• key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• value: Userinit
• data: undefinedSystemundefined\userinit.exe, undefinedSystemundefined\oembios.exe

It adds this value so that the malware is executed every time Windows starts up.

It adds the following registry:

• key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
• value: EnableFirewall
• data: 0

It adds this new value so that the firewall is always disabled.

It tries to access the following URL(s):

• bmw[removed]foreva.ru

It injects itself into the undefinedSystemundefined\svchost.exe  process to open ports and possibly allow remote access to the victim's computer.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.