W32/Agent.AF!tr

Analysis

W32/Agent.AF!tr is a very generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Agent.AF!tr may have varying behaviour.
Below are examples of some of these characteristics/behaviours:

• This detection is not based on any specific malware family and would catch a wide array of malware.


• Some malware that belong to this detection are AutoIt based.


• Some malware that belong to this detection may utilize powershell command line.


• Some instances of this malware may drop any of the following file(s):
  
  • undefinedAllUsersProfileundefined\taskhos.exe : This file is a copy of the original malware itself.
  • undefinedUserProfileundefined\[Random]\[Random].vbs : This file is detected as VBS/Runner.NCL!tr.


• Some instances of this malware may apply any of the following registry modification(s):
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Runonce
    
    • [Random] = undefinedUserProfileundefined\[Random]\[Random].vbs
    Entries made by executable programs are deleted after being processed.
    


• Some instances may drop the following files:
  
  • Opens a photo as a decoy. This file is dropped as undefinedsystemrootundefined\system32\angie.jpg
  • undefinedsystemrootundefined\system32\msjvms32.exe : This file is a copy of the original malware itself.


• Below are some of user interface or infections caught during our tests:
  

  Figure 1: Running malware process.

  
  

  Figure 2: Malware payload.

  
  

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.