W32/Agent.NHY!tr
Analysis
- Creates the following registry:
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
- value: SafeDrv
- data: C:\Program Files\Common Files\SafeDrv.exe
- key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
- value: C:\Program Files\Common Files\SafeDrv.exe
- data: C:\Program Files\Common Files\SafeDrv.exe:*:Enabled:@xpsp2res.dll,-22019
- key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- value: C:\Program Files\Common Files\SafeDrv.exe
- data: C:\Program Files\Common Files\SafeDrv.exe:*:Enabled:@xpsp2res.dll,-22019
- key: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXEVSN\0000\
- value: Service
- data: wxevsn
- Injects malicious code into the following process:
- IEXPLORE.EXE
- Downloads malware from the following URL:
- http://www.sk{removed}/vod/xm.exe
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |