# Virus

## W32/Generic.AR!tr

### Analysis

W32/Generic.AR!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Generic.AR!tr may have varying behaviour.
Below are examples of some of these behaviours:

• This malware drops the following files:
• undefineddesktopundefined\game.exe : This file is a copy of the original malware itself.
• undefineddesktopundefined\game.exe:zone.identifier : This file is detected as W32/Generic.AR!tr.
• undefinedTempundefined\windowz.exe : This file is a copy of the original malware itself.
• undefinedStartUpundefined\9f7f2173619f650345ea1ca6aab1e770.exe : This file is a copy of the original malware itself.
• undefinedsystemdriveundefined\pornpic.scr : This file is a copy of the original malware itself.
• undefinedAppDataundefined\Local\Temp\Update.txt : This text file contains the exact path for the malware.

• The malware attempts to connect to the following sites:
• spr2{Removed}.ze.am
• gkgk554{Removed}.codns.com
• 8{Removed}.208.230.159

• Some of these malwares have been observed to be corrupted or none functioning.

• The following registry modifications are applied:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
• 9f7f2173619f650345ea1ca6aab1e770 = \undefinedAppDataundefined\local\temp\windowz.exe\ ..
This automatically executes the dropped file every time the infected user logs on.
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
• 9f7f2173619f650345ea1ca6aab1e770 = \undefinedAppDataundefined\local\temp\windowz.exe\ ..
This registry corresponds to an autostart pointed out by windows for every restart of the host machine.

• The original copy of the malware may be deleted after execution.

• The malware may try to hide itself.

• The malware may try to shutdown system.

• The malware may try to install itself or copy in system folder.

• This malware may check the registry as part of its anti-virtualization or anti-debugging techniques.

### Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.