virus logo Virus

W32/Waski.A!tr

description-logoAnalysis

  • Upon execution it drops the following files in the Temporary folder:
    • budha.exe
    • vres.exe
    These files are also detected as W32/Waski.A!tr.

  • It may download an executable file, then save it with a randomized file name to a newly created folder, also with a randomized name. At the time of this writing, the downloaded file can also be detected as W32/Waski.A!tr.

  • Another downloaded file may exist in the following folder:
    • undefinedUserProfileundefined\Local Settings\Temporary Internet Files\Content.IE5\360[1].exe
    At the time of this writing, this file can be detected as W32/Inject.AAU!tr.

  • The following registry modifications are applied:
    • HKEY_CURRENT_USER\Software\Microsoft\[RandomRegistryName]
      This registry entry contains encrypted data, such as "SIeOiEUL9PURFbh7Ljadcpo2CiU65gR0O9A=".

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        [RandomFileName] = ""undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe""
      This registry entry enables the downloaded file to be automatically executed every time the infected user logs on.

  • This malware has been observed to connect to remote sites with the following details:
    • 173.25{Removed}30:443
    • 216.17{Removed}13:443
    • www.unme{Removed}st.com:https
    • 205.25{Removed}75:http
    • host3554{Removed}ed.com:https
    • vpsn{Removed}me.com:https
    • 5.10{Removed}03:https

  • This malware injects itself into the Windows Explorer process.

  • It disguises itself by using the Adobe PDF icon.

  • The original malware sample is deleted after execution.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-12-20 91.09891
2023-11-29 91.09265
2023-11-22 91.09040
2023-11-20 91.08976
2023-11-03 91.08481
2023-10-15 91.07891
2023-09-26 91.07317
2023-09-19 91.07104
2023-08-22 91.06264
2023-08-14 91.06015
ID 5824483
Released Nov 18, 2013
Description
Updated		 Jan 07, 2014
Aliases Downloader-FWX!F4AAA2CC0FB6 trojan, W32/Inject.AAU!tr, Trojan.Win32.Inject.gqbk, Win32/Spy.Zbot.AAU, TSPY_ZBOT.WQU, TSPY_ZBOT.SMNX, TSPY_FAREIT.TBB, Win32/TrojanDownloader.Waski.A
Platform Profile Win32 file format / PE 32 bit