W32/Generic.B!tr.bdr
Analysis
- Copies itself to the System folder as wnsvc.exe.
- Adds the following value to run itself at each Windows startup:
WN Services = "undefinedSystemundefined\wnsvc.exe"
to the following subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note: undefinedSystemundefined refers to the System folder.
- Drops the file uninstall.bat to the Temporary folder. This file is used to delete the initially executed copy of itself.
- Connects to the one of the following Internet Relay Chat (IRC) servers using TCP port 6564:
- micro.leetshiz.com
- micro.nunyah.info
When connected, it listens for commands that allow the remote attacker to perform any of the following actions:
- Deliver system information to attacker
- Download file
- Execute file
- Kill process
- Perform DDoS attack
- Perform network scan
- Start spreading routine
- Propagates by exploiting the Microsoft ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability.
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the patch for the Microsoft ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |