VBS/Agent.PFR!tr.dldr

Analysis

VBS/Agent.PFR!tr.dldr is a generic detection for a type of Visual Basic script downloader trojan that downloads the Locky ransomware onto the compromised computer. Since this is a generic detection, files that are detected as VBS/Agent.PFR!tr.dldr may have varying behavior.
Along with W32/Locky.FWSD!tr.ransom below are examples of some of its characteristics/behavior:

• It downloads the Locky ransomware as the following file:
  
  • undefinedTempundefined[Random].exe : This file is detected as W32/Locky.FWSD!tr.ransom .


• Affected files of this Ransomware will use the filenaming format XXXXXXXX-XXXX-XXXX-XXXXXXXX-XXXXXXXXXXXX.ykcol, where X is any alphanumeric character.


• It attempts to connect to the following URLs:
  
  • hxxp://amma{Removed}.it/jhdsgvc74?
  • hxxp://idea{Removed}.net/p66/jhdsgvc74
  • hxxp://anim{Removed}.net/jhdsgvc74?


• Below is an example of the Ransom notes:
  

  Figure 1: Ransom notes.

  
  

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.