Virus

W32/Webber.F

Analysis


Specifics
This threat may have been introduced to the system via a malicious web page. In one instance, a threat identified as "JS/Scob.A-tr" was the culprit. The javascript threat JS/Scob.A-tr was identified on some compromised web servers and was the component which installed W32/Webber.F onto computers. Using a series of IFrame tags as a means to exploit the functionality of Internet Explorer, the Trojan Webber.F was installed.

When Webber.F is installed, three files are written to the System32 folder. Two of the files have random file names, while the other is static, such as the following -

Dgcjbngh.dll [6,145 bytes]
Hdkqnjbo.exe [51,712 bytes]
surf.dat [small text file]

The file "surf.dat" is a small text file containing the machine name and logon name of the logged on user on the compromised system at the time of infection.

The virus will perform period DNS queries against these web sites -

asechka.ru
mazafaka.ru
gaz-prom.ru
kidos-bank.ru
www.redline.ru

Webber.F registers it's small DLL to load as a component of Internet Explorer -

HKEY_CLASSES_ROOT\CLSID\
{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\
"(Default)" = C:\WINNT\System32\Dgcjbngh.dll
"ThreadingModel" = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\
"Web Event Logger" = {79FEACFF-FFCE-815E-A900-316290B5B738}


The .DLL may function as a remote shell on the compromised system. This .DLL may also be known as Backdoor.Padador.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option