Virus

W32/Agent.C!tr

Analysis

  • Drops a copy of itself to the System folder as commdlgdll.exe.
  • Creates the following registry entry to automatically execute iteself during startup:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      commdlg.dll = "undefinedSystemundefined\commdlgdll.exe"
  • Drops a copy of itself to all removable/floppy drives as driver.exe.
  • Drops the file autorun.inf  to automatically execute its dropped copy whenever the drive is accessed. The following are the contents of this file:
    [Autorun]
    Open=driver.exe
    shellexecute=driver.exe
    shell\Auto\command=driver.exe
    Shell=Auto

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.