W32/Killwin.C
Analysis
Specifics
This Trojan creates new shares onto a compromised system.
The shares are named 'RPC$' and 'USR$'. This Trojan
may be installed from a dropper, or other combination
malware.
The Trojan will create output files which contain sensitive configuration details. These are the output files created -
c:\png00002.jpg
undefinedWindowsundefined\inf\Layout10.pnf
undefinedWindowsundefined\inf\Layout11.pnf
undefinedWindowsundefined\System32\msmgmt.dll
The files 'msmgmt.dll' and 'png00002.jpg' may contain the following types of data -
- environment variables in memory
- listing of currently running services
- directory listing of root files, program files,
and their ownership details
- other log file entries indicating if commands initiated at the MS-DOS level were successful or not
New Shares Created
The Trojan may add two additional accounts to the system
by these names -
RPC$
USR$
The system registry is updated to reflect how these shares are used -
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares\
"RPC$" = "CSCFlags=0 MaxUses=429496795
Path=c:\ Permissions=63
Remark=Vyhrazeno systemu Windows Type=0"
"USR$" = "CSCFlags=0 MaxUses=429496795
Path=undefineduser profile folderundefined
Permissions=63 Remark=Vychozi sdileni uzivatele Type=0
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |