Virus

MSIL/Nanocore.BT!tr

Analysis


MSIL/Nanocore.BT!tr is a detection for a trojan with backdoor capabilities.
Below are some of its observed behaviours/characteristics:

  • It drops the following files:
    • %AppData%\[GUID]\Logs\[Username] : This is the folder where the malware store the logs.
    • %AppData%\[GUID]\run.dat : This is a data file.

  • This trojan gathers the following information:
    • Computer name
    • IP
    • Country
    • CPU usage
    • RAM usage
    • Active window
    • OS
    • Role
    • Architecture
    • Installed Anti-Virus
    • Firewall

  • This trojan has the following capabilities:
    • Reboot/Shutdown computer
    • Manipulate files
    • Manipulate running processes
    • Manipulate the registry
    • Execute shell commands
    • Remotely execute scripts/executables
    • Steal stored passwords
    • Enable/Disable webcam light
    • Open/Close CD Drive
    • Turn On/Off the monitor
    • Reverse mouse buttons
    • View DNS records
    • Keylogging
    • Browse logs
    • Spoof video feeds
    • Spoof audio feeds

  • This trojan sends the gathered information to its C&C:
    • 42.[removed]:47581
    • 41.[removed]:47581
    • 160.[removed]:47581


Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.