W32/Dorkbot.BAA!tr
Analysis
W32/Dorkbot.BAA!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Dorkbot.BAA!tr may have varying behavior.
Below are examples of some of these behavior:
- It drops a copy of itself into the user's Application Data folder with a randomized file name.
- Network activities are observed to connect to the following sites via TCP port 1866:
- IP: 69.43{Removed}
- IP: 112.125{Removed}
- IP: 95.142{Removed}
- Deletes its original copy after execution.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2024-03-08 | 92.02250 | |
2022-08-25 | 90.05404 | |
2022-06-13 | 90.03224 | |
2022-06-09 | 90.03097 | |
2020-01-28 | 74.86100 | Sig Added |
2020-01-23 | 74.74500 | Sig Updated |
2019-05-07 | 68.34700 | Sig Added |
2019-05-03 | 68.25000 | Sig Updated |
2019-04-05 | 67.58100 | Sig Added |
2019-04-03 | 67.52800 | Sig Updated |