VirusW32/Webber.F
Analysis
Specifics
This threat may have been introduced to the system via
a malicious web page. In one instance, a threat identified
as "JS/Scob.A-tr" was the culprit. The javascript
threat JS/Scob.A-tr was identified on some compromised
web servers and was the component which installed W32/Webber.F
onto computers. Using a series of IFrame tags as a means
to exploit the functionality of Internet Explorer, the
Trojan Webber.F was installed.
When Webber.F is installed, three files are written to the System32 folder. Two of the files have random file names, while the other is static, such as the following -
Dgcjbngh.dll [6,145 bytes]
Hdkqnjbo.exe [51,712 bytes]
surf.dat [small text file]
The file "surf.dat" is a small text file containing the machine name and logon name of the logged on user on the compromised system at the time of infection.
The virus will perform period DNS queries against these web sites -
asechka.ru
mazafaka.ru
gaz-prom.ru
kidos-bank.ru
www.redline.ru
Webber.F registers it's small DLL to load as a component of Internet Explorer -
HKEY_CLASSES_ROOT\CLSID\
{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\
"(Default)" = C:\WINNT\System32\Dgcjbngh.dll
"ThreadingModel" = Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\
"Web Event Logger" = {79FEACFF-FFCE-815E-A900-316290B5B738}
The .DLL may function as a remote shell on the compromised
system. This .DLL may also be known as Backdoor.Padador.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |