W32/Virtum!tr
Analysis
- It drops the following files:
- undefinedSystemundefined\ljjgeee.dll
- C:\Documents and Settings\Administrator\Local Settings\Temp\removalfile.bat
- It adds the following registry:
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjgeee
- value: DllName
- data: ljjgeee.dll
- key: HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}\
- value:InprocServer32
- data: undefinedSystemundefined\ljjgeee.dll
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjgeee
- value: logon
- data: logon
- It injects codes into the explorer.exe process.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |