Virus

W32/Generic.BN!tr

Analysis


W32/Generic.BN!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Generic.BN!tr may have varying behavior.
Below are examples of some of these behavior:

  • It drops the following files:
    • undefinedTempundefined\lcice.exe : This file is detected as W32/Kryptik.OOU!tr and is nearly a direct copy of the original except that the full file path of the original is appended to its overlay.

  • It makes the following network connections:
    • Makes an HTTP request with user-agent: "little update" to ita[REMOVED]/fpdf/2804UKm.dat.

  • If the response from ita[REMOVED]/fpdf/2804UKm.dat  contains an executable file, it attempts to write it to the current directory and executes it as sedil.exe.
  • It may use the PDF icon to masquerade as a PDF file.
  • It attempts to delete the original file from the file path found in the overlay.

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.