Virus

W32/RBot.AXE!worm

Analysis

As with the RBot family, this threat lies dormant on a compromised system and awaits attack sequence instructions before it can spread further to other systems.
If this virus is run or launched, it will copy itself to the System32 folder as "wmpa36d.exe". The virus will then register itself to load at each Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\OLE
"Windows Media Player 3.6d" = wmpa36d.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows Media Player 3.6d" = wmpa36d.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Windows Media Player 3.6d" = wmpa36d.exe
The virus will attempt to connect with an external server with the IP 69.56.179.10 in order to notify it of the installation.
The virus will also attempt to download adware known as "Second Thought". The adware is retrieved from a hard-coded site as the file name "dust.exe".

Recommended Action

  • FortiGate systems: check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option