- Upon execution, it drops the following files:
- undefinedAppDataundefined\[RandomFilename_1].exe : This file is also detected as W32/Lockscreen.LOA!tr.
- undefinedAppDataundefined\[RandomFilename_2].exe : This file detected as W32/Kryptik.BYA!tr.
- There are other data files dropped in the user's Application Data folder that are randomly named and do not have extension names. These files are non-malicious.
- The malware was observed to perform DNS queries to:
- The following registry modifications are applied:
- [RandomReg_3] = [HexValues], e.g., hex:a1,49,3f,8d,6a,6f,6e,81,84,4a,c9,0b,2b,a2,ab,eb...
- [RandomReg_4] = [HexValues], e.g., hex:a1,49,3f,8d,6f,7c,72,91,d5,4a,c9,0b...
- [RandomReg_1] = undefinedAppDataundefined\[RandomFilename_1].exe
- [RandomReg_2] = undefinedAppDataundefined\[RandomFilename_2].exe These registry entries enable the dropped files to be automatically executed every time the infected user logs on.
- The malware file uses the Word Document icon.
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.