W32/Androm.AF!tr.bdr

Analysis

W32/Androm.AF!tr.bdr is a generic detection for a type of trojan. Since this is a generic detection, malware that are detected as W32/Androm.AF!tr.bdr may have varying behavior.
Below are examples of some of these behaviors:

• It drops a copy of itself with a randomized name in the All Users' Profile folder.


• The following registry modifications are applied:
  
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    
    • [RandomNumber] = "undefinedAllUserProfileundefined\[RandomFileName].exe"
    This runs the dropped file automatically.
  
  
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    
    • HideSCAHealth = 0
    This disables the Action Center notification icon for the local machine.
  
  
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    
    • HideSCAHealth = 0
    This disables the Action Center notification icon for the current user.
  
  
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
    
    • EnableLUA = 0
    This disables notifications to users when programs try to make changes to the computer.
  
  
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    
    • ShowSuperHidden = 0
    This hides protected operating system files.
  
  
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    
    • Hidden = 2
    This hides hidden files.


• It performs DNS queries on the following names:
  
  • update.microsoft.com
  • whi{Removed}.ru
  • whi{Removed}.ru/board/board.php


• The original copy of the malware is deleted after execution.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.