W32/Webber.A!tr
Analysis
- Threat is 32bit, with a size 5,664 bytes
- Threat attempts to connect to Internet sites and
download then install components which will allow
the infected system to used as a proxy server
- Once the system is compromised, a hacker or group
of hackers could hijack use of the computer to send
spam messages or other malicious actions
- The threat was intentionally mass-mailed to select
email addresses posing as a URL and referencing a
financial document known as a “heloc”
or home equity line of credit
- Trojan modifies Internet Explorer to log passwords
on websites by modifying the registry –
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"FormSuggest Passwords" = yes
"FormSuggest PW Ask" = yes
- Trojan may store email login credentials and other
data into small files on the system –
c:\WINDOWS\SYSTEM\NtXgl16.dat
c:\WINDOWS\SYSTEM\NtXgl16.sys
c:\WINDOWS\SYSTEM\NtXgl16.vxd
- Trojan may attempt to connect to at least three
websites using TCP port 80 –
209.249.147.131
addr16.addr.com
server3.jiffynet.net
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |