W32/Zortob.H!tr
Analysis
W32/Zortob.H!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Zortob.H!tr may have varying behavior.
Below are examples of some of these behavior:
- Upon execution, it drops the following copy of itself:
- undefinedAppDataundefined\{Random}.exe
- The following registry modification is applied:
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- value: {Random}
- data: undefinedAppDataundefined\{Random}.exe
- During execution, it has been observed to connect to remote sites such as:
- 162.20{Removed} on port 443
- 218.6{Removed} on port 443
- 109.10{Removed} on port 443
- Some variants of this malware disguise themselves by using the Microsoft Word Document icon.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |