W32/VB.AEXW!tr.dldr
Analysis
- It uses the following commands to query some process information:
- GetObject ("winmgmts:\\.\root\cimv2")
- ExecQuery ("select * from Win32_Process")
- It sends the collected information to a remote server:
- http://tongji.{Removed}.com//clcount/ip.asp?action=install&mac=undefineds&ver=undefineds&lianmeng=undefineds&system=undefineds&shada=undefineds&alexa=1&ie=undefinedd
- It downloads files from the following URLs:
- http://tongji.{Removed}.com/cpa.txt
- http://tongji.{Removed}.com/cpa/119.exe
- http://tongji.{Removed}.com/cpa/c13.exe
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |