W32/Agent.NPT!worm

description-logoAnalysis



W32/Agent.NPT!worm is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Agent.NPT!worm may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware may drop the following files:
    • %AppData%\[MachineName]\[Random].exe: This file is a copy of the original malware itself, the filename will be based on any random file from %SystemRoot%.

  • The following registry modifications are applied:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows
        • rate = "1"
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        • [Random].exe = "%AppData%\[MachineName]\[Random].exe"
        This automatically executes the dropped file every time the infected user logs on.
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        • [Random].exe = "%AppData%\[MachineName]\[Random].exe"
        This registry corresponds to an autostart pointed out by windows for every restart of the host machine.

  • This malware may also connect to yodafest.biz.

  • This malware has been also associated with sending hosts information to C&C remote site along with a possible capability of spreading through external drives.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-01-10 90.09530
2022-11-27 90.08223
2019-04-16 67.84200 Sig Updated
2019-03-12 67.00000 Sig Added