virus logo Virus

MSWord/Agent.26CB!tr

description-logoAnalysis
MSWord/Agent.26CB!tr is a specific detection for a Dropper Trojan.
Below are examples of its behaviours:

  • This malware drops/downloads the following files from the remote site workgrac{Removed}.com/MoneyGramc.exe:
    • %Documents%\MoneyGramc.exe
    • %Temp%\HDAudio\HDAudio.exe
    Both of the above files are currently detected as W32/Fynloski.AN!tr.

  • The following registry modifications are applied:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • HDAudio = "%Temp%\HDAudio\HDAudio.exe"
      This automatically executes the dropped file every time the infected user logs on.

  • This malware was delivered as a password protected document as illustrated below:

    • Figure 1: Spam Mail.


    • Figure 2: Infected document.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-04-09 67.67400 Sig Updated
ID 7708062
Released Apr 24, 2018
Description
Updated		 Apr 24, 2018
Aliases W32/Fynloski.AN!tr
Platform Profile Microsoft Office Word (used for exploits detection)