Virus

W32/Webber.I!tr

Analysis

This threat may have been introduced to the system via a malicious web page. When this Trojan is installed to a system, three files are written to the System32 folder. Two of the files have random file names, while the other is static, such as the following -
Dapjjj32.dll [7,169 bytes]
Icqfapme.exe [67,818 bytes]
engl32.dat [small text file]
The file "engl32.dat" is a small text file containing the machine name and logon name of the logged on user on the compromised system at the time of infection.
The Trojan will perform period DNS queries against the web sites named 'www.pidorasam.net'.
This Trojan registers it's small DLL to load as a component of Internet Explorer as in this example-
HKEY_CLASSES_ROOT\CLSID\
{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\
"(Default)" = C:\WINNT\System32\Dapjjj32.dll
"ThreadingModel" = Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\
"Web Event Logger" = {79FEACFF-FFCE-815E-A900-316290B5B738}
The .DLL may function as a remote shell on the compromised system. This .DLL may also be known as Backdoor.Padador.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the Fortigate manager, add these web addresses to the list of URLs to block -
    203.194.209.77
    www.pidorasam.net