W32/Agent.WA!tr

description-logoAnalysis

  • The malware attempts to connect to the following sites:
    • 89.149.241.233
    • 89.149.253.17
    • shared-admin.com
  • It also listens to port 80 indicating that this malware also serves as an HTTP proxy.

  • The malware also attempts to modify/query the infected host's firewall settings by checking this registry
    • HKLM SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiClient
    Extreme
    FortiMail
    Extreme
    FortiSandbox
    Extreme
    FortiWeb
    Extreme
    Web Application Firewall
    Extreme
    FortiIsolator
    Extreme
    FortiDeceptor
    Extreme
    FortiEDR

    Version Updates

    Date Version Detail
    2021-10-26 89.06291
    2021-08-12 88.00322
    2021-07-27 87.00933
    2021-05-15 86.00197
    2021-02-06 83.84100 Sig Added
    2020-04-07 76.53400 Sig Updated
    2020-01-31 74.93100 Sig Added
    2019-03-05 66.83600 Sig Updated
    2019-02-04 66.14300 Sig Added
    2019-02-04 66.14200 Sig Updated