VirusW32/Zortob.H!tr
Analysis
W32/Zortob.H!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Zortob.H!tr may have varying behavior.
Below are examples of some of these behavior:
- Upon execution, it drops the following copy of itself:
- undefinedAppDataundefined\{Random}.exe
- The following registry modification is applied:
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- value: {Random}
- data: undefinedAppDataundefined\{Random}.exe
- During execution, it has been observed to connect to remote sites such as:
- 162.20{Removed} on port 443
- 218.6{Removed} on port 443
- 109.10{Removed} on port 443
- Some variants of this malware disguise themselves by using the Microsoft Word Document icon.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |