W32/Agent.0D65!tr.bdr
Analysis
- It drops the following files:
- undefinedProgram Filesundefined\Common Files\MSSoap\Binaries\Resources\1033\MicrosoftSoap1.02.814.0.exe
- undefinedProgram Filesundefined\Common Files\SpeechEngines\Microsoft\TTS\1033\WindowsTMMicrosoft.exe
- undefinedProgram Filesundefined\Common Files\SpeechEngines\Microsoft\TTS\1033\WindowsTMSystem.exe
- undefinedProgram Filesundefined\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\ThinPrinttpprn761951.exe
- undefinedProgram Filesundefined\Common Files\VMware\Drivers\vmci\vmciVMware.exe
- undefinedProgram Filesundefined\MSN Gaming Zone\Windows\Zonebackgammon.exe
- It adds the following registry:
- key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- value: SysinternalsSysinternals
- data: C:\Documents and Settings\[User]\Desktop\036CBDAC.exe
- key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- value: Zonebackgammon
- data: undefinedProgram Filesundefined\MSN Gaming Zone\Windows\Zonebackgammon.exe
- key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- value: MSSOAPRMicrosoft
- data: undefinedProgram Filesundefined\Common Files\MSSoap\Binaries\Resources\1033\MicrosoftSoap1.02.814.0.exe
- key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- value: OperatingSystem
- data: undefinedProgram Filesundefined\Common Files\SpeechEngines\Microsoft\TTS\1033\WindowsTMMicrosoft.exe
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.