W32/Webber.J!tr

description-logoAnalysis

  • Update: AV definition v4.351 adds coverage for a variant of Webber and is identified as W32/Webber.J-tr.
  • Threat is 32bit, with a size 44,064 bytes
  • Trojan may have been introduced to the system by another malware component known as W32/DL.6176.B-net - this other Trojan attempts to download and install W32/Rebbew.J-tr from an Internet web page
  • The Trojan is initially retrieved as a GIF image file named "neher.gif" and is saved as an .EXE file name
  • When the Trojan is installed, it will allow the infected system to be used as a proxy server
  • Once the system is compromised, a hacker or group of hackers could hijack use of the computer to send spam messages or other malicious actions
  • The Trojan will open a TCP port and await instructions from a hacker or group of hackers
  • The Trojan may create a .DLL with a random file name to function as a component and modify the registry to load this component as a server application -

    HKEY_CLASSES_ROOT\CLSID\
    {79FB9088-19CE-715D-D85A-216290C5B738}\InProcServer32\
    "(Default)" = C:\WINNT\System32\undefinedrandomundefined.dll
    "ThreadingModel" = Apartment

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\ShellServiceObjectDelayLoad\
    "Web Event Logger" = {79FB9088-19CE-715D-D85A-216290C5B738}

  • Trojan modifies Internet Explorer to log passwords on websites by modifying the registry -

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "FormSuggest Passwords" = yes AutoSuggest (extra data)
    "FormSuggest PW Ask" = yes AutoSuggest (extra data)

  • Trojan may store email login credentials and other data into small files on the system -

    c:\WINNT\system32\Neh32.dat
    c:\WINNT\system32\Neh32.sys
    c:\WINNT\system32\Neh32.vxd

  • Trojan may attempt to connect to a Russian website 'www.royalpank.ru' using TCP port 80

  • Once connected, the Trojan will submit data via a server side script detailing the IP address of the infected system as well as the TCP listening port used by the Trojan

recommended-action-logoRecommended Action

  • Block access to these web addresses -

    bancoline.hotmail.ru
    www.royalpank.ru
    flock0uhs.newmail.ru
    nss.newmail.ru
    82.146.35.45
    82.146.56.242
    212.16.0.1
    212.48.140.151
    212.48.140.155

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2020-11-03 81.56700 Sig Updated
2020-08-29 79.99300 Sig Added