W32/VB.WL!tr
Analysis
W32/VB.WL!tr is a generic detection for a type of trojan that uses a polymorphic custom packer, which is written in Visual Basic.
Since this is a generic detection, malware that are detected as W32/VB.WL!tr may have varying behavior. Below are examples of some of these behaviors:
- Creates the following file:
- undefinedWindowsundefined\winudpmgr.exe: original copy of the malware.
- Creates the following registry:
- key: HKCU\\Software\Microsoft\Windows\CurrentVersion\Run\
- value: Windows UDP Control Center
- data: undefinedWindowsundefined\winudpmgr.exe
- Injects malicious code into the following processes:
- explorer.exe
- iexplore.exe
- Deletes itself after execution.
- Connects to the following server:
- 94.68.{Removed}.85
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |