Virus

W32/Webber.J!tr

Analysis

  • Update: AV definition v4.351 adds coverage for a variant of Webber and is identified as W32/Webber.J-tr.
  • Threat is 32bit, with a size 44,064 bytes
  • Trojan may have been introduced to the system by another malware component known as W32/DL.6176.B-net - this other Trojan attempts to download and install W32/Rebbew.J-tr from an Internet web page
  • The Trojan is initially retrieved as a GIF image file named "neher.gif" and is saved as an .EXE file name
  • When the Trojan is installed, it will allow the infected system to be used as a proxy server
  • Once the system is compromised, a hacker or group of hackers could hijack use of the computer to send spam messages or other malicious actions
  • The Trojan will open a TCP port and await instructions from a hacker or group of hackers
  • The Trojan may create a .DLL with a random file name to function as a component and modify the registry to load this component as a server application -

    HKEY_CLASSES_ROOT\CLSID\
    {79FB9088-19CE-715D-D85A-216290C5B738}\InProcServer32\
    "(Default)" = C:\WINNT\System32\undefinedrandomundefined.dll
    "ThreadingModel" = Apartment

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\ShellServiceObjectDelayLoad\
    "Web Event Logger" = {79FB9088-19CE-715D-D85A-216290C5B738}

  • Trojan modifies Internet Explorer to log passwords on websites by modifying the registry -

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "FormSuggest Passwords" = yes AutoSuggest (extra data)
    "FormSuggest PW Ask" = yes AutoSuggest (extra data)

  • Trojan may store email login credentials and other data into small files on the system -

    c:\WINNT\system32\Neh32.dat
    c:\WINNT\system32\Neh32.sys
    c:\WINNT\system32\Neh32.vxd

  • Trojan may attempt to connect to a Russian website 'www.royalpank.ru' using TCP port 80

  • Once connected, the Trojan will submit data via a server side script detailing the IP address of the infected system as well as the TCP listening port used by the Trojan

Recommended Action

  • Block access to these web addresses -

    bancoline.hotmail.ru
    www.royalpank.ru
    flock0uhs.newmail.ru
    nss.newmail.ru
    82.146.35.45
    82.146.56.242
    212.16.0.1
    212.48.140.151
    212.48.140.155

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option