Virus

W32/Generic.AR!tr

Analysis



W32/Generic.AR!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Generic.AR!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware drops the following files:
    • undefineddesktopundefined\game.exe : This file is a copy of the original malware itself.
    • undefineddesktopundefined\game.exe:zone.identifier : This file is detected as W32/Generic.AR!tr.
    • undefinedTempundefined\windowz.exe : This file is a copy of the original malware itself.
    • undefinedStartUpundefined\9f7f2173619f650345ea1ca6aab1e770.exe : This file is a copy of the original malware itself.
    • undefinedsystemdriveundefined\pornpic.scr : This file is a copy of the original malware itself.
    • undefinedAppDataundefined\Local\Temp\Update.txt : This text file contains the exact path for the malware.

  • The malware attempts to connect to the following sites:
    • spr2{Removed}.ze.am
    • gkgk554{Removed}.codns.com
    • 8{Removed}.208.230.159

  • Some of these malwares have been observed to be corrupted or none functioning.

  • The following registry modifications are applied:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • 9f7f2173619f650345ea1ca6aab1e770 = \undefinedAppDataundefined\local\temp\windowz.exe\ ..
      This automatically executes the dropped file every time the infected user logs on.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
      • 9f7f2173619f650345ea1ca6aab1e770 = \undefinedAppDataundefined\local\temp\windowz.exe\ ..
      This registry corresponds to an autostart pointed out by windows for every restart of the host machine.

  • The original copy of the malware may be deleted after execution.

  • The malware may try to hide itself.

  • The malware may try to shutdown system.

  • The malware may try to install itself or copy in system folder.

  • This malware may check the registry as part of its anti-virtualization or anti-debugging techniques.



Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.