Virus

W32/Generic.C!tr

Analysis


W32/Generic.C!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as W32/Generic.C!tr may have varying behavior.
Below are examples of some of these behaviors:

  • It creates the following files:
    • undefinedAppDataundefined\Mozilla\{Random 7 Letters}.dll: This can be detected as W32/Agentb.AAKP!tr.
    • undefinedAppDataundefined\Mozilla\{Random 7 Letters}.exe: This is a copy of itself with eight bytes appended and is also detected as W32/Generic.C!tr.

  • It adds the following registry to enable its automatic execution:
    • key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    • value: AppInit_DLLs
    • data: undefinedAppDataundefined\Mozilla\{Random 7 Letters}.dll

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.