W32/Agent.KM!tr

description-logoAnalysis

W32/Agent.KM!tr - 06-07-10


General Info:

This threat is a "PE" executable file, with file size 35949, with file compression: FSG

Network/Internet:

  • Connects to Server: HTTP
  • Other Payloads: Listen on incoming ports + Downloads updates

Files:

  • Copies itself to: undefinedSystemRootundefined/undefinedWinDirundefined
  • Drop files: ".exe"

More Info:

1. While running in memory, the virus creates the named mutex "wrs23nz-01dfp" to ensure that only one instance of the virus is executed on the computer.
2. Creates a copy of itself to the undefinedSYSTEMundefined folder as "_zskwrkni05{RANDOM}.exe" and then register itself to run at each Windows startup by adding the entry:
"_zsk{RANDOM}" = "undefinedSYSTEMundefined\_zskwrkni05{RANDOM}.exe"
to the following registry subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Creates the following registry subkey:
HKLM\Software\Microsoft\ATI_VER
It also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer 2238 = undefinedSystemDirundefined\{Random_Filename}"
4. May download a malware from the following URL and execute:
http: //download.[REMOVED].biz/traff/ppiigg.exe
5. Attempts to terminate processes containing the following strings:
antinet8
ati2evxx
atipalxx
atipatnm
atipatxx
atiptilt
atiupdpl
bargains.exe
chk037
cmmon
cnkdsk
csrsvr
drwtsn64
eventwvr
frescra
gadgscan
hedgie
jucheck.exe
k1elo
kb691498
kb691499
leeman
listmru
logopod
mcvsshld.exe
mppey.exe
mpsegment
...
6. Drops the file "TheMatrixHasYou.exe" in the undefinedSYSTEMundefined folder which is a malware. Fortinet detects it as "W32/Small.BO!tr".
7. Opens a proxy on a random TCP port.
8. Sends GET requests with information about the compromised computer to the following URL: http: //[REMOVED].biz/wrkni05/r.php
The information includes the following:
proxy port number
IP address
OS version
VolumeSerialNumber


9.The malware based on its behaviour appears to contain rootkit capability.

recommended-action-logoRecommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

  • FortiClient systems:

  • Quarantine/Delete infected files detected and replace infected files with clean backup copies

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-11-01 91.08413
2023-04-26 91.02726
2020-08-18 79.72000 Sig Updated
2020-08-11 79.55200 Sig Updated
2020-08-04 79.38400 Sig Updated
2020-07-28 79.21600 Sig Updated
2020-05-17 77.48800 Sig Updated
2020-05-09 77.29900 Sig Updated
2020-05-06 77.23400 Sig Updated
2020-05-05 77.20900 Sig Updated