VirusW32/Generic.B!tr.bdr
Analysis
- Copies itself to the System folder as wnsvc.exe.
- Adds the following value to run itself at each Windows startup:
WN Services = "undefinedSystemundefined\wnsvc.exe"
to the following subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note: undefinedSystemundefined refers to the System folder.
- Drops the file uninstall.bat to the Temporary folder. This file is used to delete the initially executed copy of itself.
- Connects to the one of the following Internet Relay Chat (IRC) servers using TCP port 6564:
- micro.leetshiz.com
- micro.nunyah.info
When connected, it listens for commands that allow the remote attacker to perform any of the following actions:
- Deliver system information to attacker
- Download file
- Execute file
- Kill process
- Perform DDoS attack
- Perform network scan
- Start spreading routine
- Propagates by exploiting the Microsoft ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability.
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the patch for the Microsoft ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |