VirusW32/Agent.NHY!tr
Analysis
- Creates the following registry:
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
- value: SafeDrv
- data: C:\Program Files\Common Files\SafeDrv.exe
- key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
- value: C:\Program Files\Common Files\SafeDrv.exe
- data: C:\Program Files\Common Files\SafeDrv.exe:*:Enabled:@xpsp2res.dll,-22019
- key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- value: C:\Program Files\Common Files\SafeDrv.exe
- data: C:\Program Files\Common Files\SafeDrv.exe:*:Enabled:@xpsp2res.dll,-22019
- key: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXEVSN\0000\
- value: Service
- data: wxevsn
- Injects malicious code into the following process:
- IEXPLORE.EXE
- Downloads malware from the following URL:
- http://www.sk{removed}/vod/xm.exe
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |