W32/Banito.D
Analysis
Specifics
This 32-bit backdoor Trojan has a packed file size of
24,256 bytes. It's only trigger to the system that it
is doing anything malicious could be by a firewall alert
when the Trojan attempts to connect to the IP address
68.9.59.120 (aka illwill.no-ip.com). Aside of this,
there is no noticeable symptoms of system compromise.
Loading At Windows Startup
If this Trojan is executed, it will copy itself to the
Windows folder as 'winhost32.exe'. It will also register
itself to autorun at each Windows startup using the
system registry - the loading location is not the typical
"run" location -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active
Setup\
Installed Components\{tb9381D8F2-0288-11D0-9501-00AA00B911A5}
"StubPath" = C:\WINNT\winhost32.exe
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, add these to the URL
block list -
illwill.no-ip.com
68.9.59.120
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |