W32/FareitVB.DSJA!tr
Analysis
W32/FareitVB.DSJA!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/FareitVB.DSJA!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware may drop any of the following file(s):
- undefinedAppDataundefined\[Random]\[Random].exe : This file is detected as W32/FareitVB.DSJA!tr.
- undefinedAppDataundefined\[Random]\[Random].lck : This file is a 1 byte file.
- undefinedStartUpundefined\[Random].vbe : This file will serve as an Autostart for undefinedAppDataundefined\[Random]\[Random].exe .
- This malware may connect to any of the following remote sites(s):
- chydub{Removed}.ru
- 18{Removed}.165.29.118
- ww{Removed}.mailsecuritysxyz.ru
- hxxp://18{Removed}.165.29.118/doittwo/ix/fre.php
- hxxp://ww{Removed}.mailsecuritysxyz.ru/frankasaba/fre.php
- hxxp://chydub{Removed}.ru/tec/config.jpg
- Some instances of this malware may also have Injector or Botnet capabilities.
- This malware may also download a potential malicious JPEG file detected as Data/ZBotJpgCfg.SM!tr.
- During our tests some instances of this malware may cause the following prompt, possibly installing a version of .Net:
- Figure 1: .Net installation prompt
- Figure 2: IE pointing to .Net download.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-12-09 | 73.67200 | Sig Updated |