Virus

W32/Virtum!tr

Analysis


  • It drops the following files:
    • undefinedSystemundefined\ljjgeee.dll
    • C:\Documents and Settings\Administrator\Local Settings\Temp\removalfile.bat

  • It adds the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjgeee
    • value: DllName
    • data: ljjgeee.dll

    • key: HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}\
    • value:InprocServer32
    • data: undefinedSystemundefined\ljjgeee.dll

    • key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjgeee
    • value: logon
    • data: logon

  • It injects codes into the explorer.exe  process.


Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.