VirusW32/VB.AEXW!tr.dldr
Analysis
- It uses the following commands to query some process information:
- GetObject ("winmgmts:\\.\root\cimv2")
- ExecQuery ("select * from Win32_Process")
- It sends the collected information to a remote server:
- http://tongji.{Removed}.com//clcount/ip.asp?action=install&mac=undefineds&ver=undefineds&lianmeng=undefineds&system=undefineds&shada=undefineds&alexa=1&ie=undefinedd
- It downloads files from the following URLs:
- http://tongji.{Removed}.com/cpa.txt
- http://tongji.{Removed}.com/cpa/119.exe
- http://tongji.{Removed}.com/cpa/c13.exe
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |