W32/Kolweb.A!tr
Analysis
This trojan has the capability to connect to the following URL:
- http://aidintime.com/money/
- http://bascowater.com/money/
- http://camberageflex.com/money/
- http://collarsaround.com/money/
- http://emorningmoss.net/money/
- http://etightstrings.net/money/
- http://logiose.com/money/
- http://moltenmagnet.net/money/
- http://money.cafreedom.com/money/
- http://netremoteline.com/money/
- http://treestompertime.net/money/
It may also hook itslelf into the following registry:
- Software\Microsoft\Windows\CurrentVersion\Run
- Software\Microsoft\Windows\CurrentVersion\RunOnce
- Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\
- Sorry, FirstDelay is not reached yet. Waiting ...
- Sorry, PopUpSlayer installed, stop show ads...
- Sorry, adDelay is not reached yet. Waiting ...
- Sorry, all ads already served, waiting time interval
- Sorry, borndelay is not reached yet, Redirect stopped, waiting...
- Sorry, borndelay is not reached yet, waiting...
- b01927.exe
- b01960.exe
- c00460.exe
- c00826.exe
- jqzc.dll
- noname.dat
Recommended Action
To manually clean this trojan, you may follow this short procedure:
- Remove any registry entries that points to the virus files.
- Restart the machine in safemode, then delete the virus files.
- Block the url/sites.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2020-06-02 | 77.87200 | Sig Updated |
2020-03-24 | 76.19800 | Sig Updated |
2020-03-11 | 75.89700 | Sig Updated |
2020-03-04 | 75.72300 | Sig Updated |
2020-01-21 | 74.67800 | Sig Updated |
2019-12-24 | 74.02900 | Sig Updated |
2019-12-24 | 74.02700 | Sig Updated |
2019-12-10 | 73.69300 | Sig Updated |
2019-11-03 | 72.80500 | Sig Updated |
2019-10-18 | 72.42800 | Sig Added |