VirusW32/Chimoz.AG!tr
Analysis
- Sample is packed with ASPack.
- This trojan is downloaded by W32/Dloader.MI!tr and W32/Chimoz.AD!tr.
- Attempts to downloads the following files:
- http://wz{REMOVED}/eupdate.exe : detected as W32/Chimoz.AC!tr
- http://wz{REMOVED}/explore.exe : detected as W32/Chimoz.V!tr
- http://www.wz{REMOVED}/sf/intranet.exe : detected as W32/Chimoz.AD!tr
- http://www.wz{REMOVED}/sf/iupdate.exe : detected as W32/Chimoz.AB!tr
- http://wz{REMOVED}/tupdate.exe : detected as W32/Chimoz.AF!tr
- http://wz{REMOVED}/taskmor.exe : detected as W32/Chimoz.U!tr
- http://www.wz{REMOVED}/sf/winlogin.exe : detected as W32/Chimoz.AH!tr
- http://wz{REMOVED}/sf/wupdate.exe : detected as W32/Chimoz.AB!tr
It saves the downloaded files to the Windows folder, then executes them.
- Creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Intranet = "undefinedWINDOWSundefined\intranet.exe"
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |