W32/Agent.KM!tr
Analysis
W32/Agent.KM!tr - 06-07-10
General Info:
This threat is a "PE" executable file, with file size 35949, with file compression: FSG
Network/Internet:
- Connects to Server: HTTP
- Other Payloads: Listen on incoming ports + Downloads updates
Files:
- Copies itself to: undefinedSystemRootundefined/undefinedWinDirundefined
- Drop files: ".exe"
More Info:
1. While running in memory, the virus creates the named mutex "wrs23nz-01dfp" to
ensure that only one instance of the virus is executed on the computer.
2. Creates a copy of itself to the undefinedSYSTEMundefined folder as "_zskwrkni05{RANDOM}.exe"
and then register itself to run at each Windows startup by adding the entry:
"_zsk{RANDOM}" = "undefinedSYSTEMundefined\_zskwrkni05{RANDOM}.exe"
to the following registry subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Creates the following registry subkey:
HKLM\Software\Microsoft\ATI_VER
It also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer 2238 = undefinedSystemDirundefined\{Random_Filename}"
4. May download a malware from the following URL and execute:
http: //download.[REMOVED].biz/traff/ppiigg.exe
5. Attempts to terminate processes containing the following strings:
antinet8
ati2evxx
atipalxx
atipatnm
atipatxx
atiptilt
atiupdpl
bargains.exe
chk037
cmmon
cnkdsk
csrsvr
drwtsn64
eventwvr
frescra
gadgscan
hedgie
jucheck.exe
k1elo
kb691498
kb691499
leeman
listmru
logopod
mcvsshld.exe
mppey.exe
mpsegment
...
6. Drops the file "TheMatrixHasYou.exe" in the undefinedSYSTEMundefined folder which is a malware.
Fortinet detects it as "W32/Small.BO!tr".
7. Opens a proxy on a random TCP port.
8. Sends GET requests with information about the compromised computer to the following URL:
http: //[REMOVED].biz/wrkni05/r.php
The information includes the following:
proxy port number
IP address
OS version
VolumeSerialNumber
9.The malware based on its behaviour appears to contain rootkit capability.
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
- Quarantine/Delete infected files detected and replace
infected files with clean backup copies
FortiGate systems:
FortiClient systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-11-01 | 91.08413 | |
2023-04-26 | 91.02726 | |
2020-08-18 | 79.72000 | Sig Updated |
2020-08-11 | 79.55200 | Sig Updated |
2020-08-04 | 79.38400 | Sig Updated |
2020-07-28 | 79.21600 | Sig Updated |
2020-05-17 | 77.48800 | Sig Updated |
2020-05-09 | 77.29900 | Sig Updated |
2020-05-06 | 77.23400 | Sig Updated |
2020-05-05 | 77.20900 | Sig Updated |