VirusW32/Small.TD!tr
Analysis
This downloader Trojan attempts to use FTP.EXE to retrieve a binary from a hard-coded FTP server. The file was not available at the time of this writing.
FTP file download
The Trojan attempts to use FTP.EXE commonly found in
Windows environments to retrieve binaries from the IP
address 209.58.80.244. The Trojan first writes an FTP
script to the undefinedWindowsundefined\Temp folder as "ABox.ftp",
then initiates FTP.EXE with this script to download
the files. The ftp script contains instructions to retrieve
these three files -
ABox.exe
logon.exe
ABox.bup
The files are to be stored into the Windows folder.
The files were unavailable at the time of this writing.
Miscellaneous
When the FTP client connects to the FTP server, the
FTP dialogue has the following properties -
Connected to 209.58.80.244
220-Jgaa's Fan Club FTP service
WarFTPd 1.82.00-RC9 (Aug 21 2004) Ready
(C)opyright 1996 - 2004 by Jarle (jgaa) AAse - all rights reserved.
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
FortiGate systems:
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |