W32/Androm.AF!tr.bdr
Analysis
W32/Androm.AF!tr.bdr is a generic detection for a type of trojan. Since this is a generic detection, malware that are detected as W32/Androm.AF!tr.bdr may have varying behavior.
Below are examples of some of these behaviors:
- It drops a copy of itself with a randomized name in the All Users' Profile folder.
- The following registry modifications are applied:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- [RandomNumber] = "undefinedAllUserProfileundefined\[RandomFileName].exe"
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HideSCAHealth = 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HideSCAHealth = 0
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
- EnableLUA = 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- ShowSuperHidden = 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hidden = 2
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- It performs DNS queries on the following names:
- update.microsoft.com
- whi{Removed}.ru
- whi{Removed}.ru/board/board.php
- The original copy of the malware is deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |