W32/Agent.NPT!worm
Analysis
W32/Agent.NPT!worm is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/Agent.NPT!worm may have varying behaviour.
Below are examples of some of these behaviours:
- This malware may drop the following files:
- %AppData%\[MachineName]\[Random].exe: This file is a copy of the original malware itself, the filename will be based on any random file from %SystemRoot%.
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\Microsoft\Windows
- rate = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- [Random].exe = "%AppData%\[MachineName]\[Random].exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- [Random].exe = "%AppData%\[MachineName]\[Random].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows
- This malware may also connect to yodafest.biz.
- This malware has been also associated with sending hosts information to C&C remote site along with a possible capability of spreading through external drives.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |