W32/Generic.BN!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Generic.BN!tr may have varying behavior.
Below are examples of some of these behavior:
- It drops the following files:
- undefinedTempundefined\lcice.exe : This file is detected as W32/Kryptik.OOU!tr and is nearly a direct copy of the original except that the full file path of the original is appended to its overlay.
- It makes the following network connections:
- Makes an HTTP request with user-agent: "little update" to ita[REMOVED]/fpdf/2804UKm.dat.
- If the response from ita[REMOVED]/fpdf/2804UKm.dat contains an executable file, it attempts to write it to the current directory and executes it as sedil.exe.
- It may use the PDF icon to masquerade as a PDF file.
- It attempts to delete the original file from the file path found in the overlay.
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.