W32/Webber.J!tr
Analysis
- Update: AV definition v4.351 adds coverage for a variant of Webber and is identified as W32/Webber.J-tr.
- Threat is 32bit, with a size 44,064 bytes
- Trojan may have been introduced to the system by
another malware component known as W32/DL.6176.B-net
- this other Trojan attempts to download and install
W32/Rebbew.J-tr from an Internet web page
- The Trojan is initially retrieved as a GIF image
file named "neher.gif" and is saved as an
.EXE file name
- When the Trojan is installed, it will allow the
infected system to be used as a proxy server
- Once the system is compromised, a hacker or group
of hackers could hijack use of the computer to send
spam messages or other malicious actions
- The Trojan will open a TCP port and await instructions
from a hacker or group of hackers
- The Trojan may create a .DLL with a random file
name to function as a component and modify the registry
to load this component as a server application -
HKEY_CLASSES_ROOT\CLSID\
{79FB9088-19CE-715D-D85A-216290C5B738}\InProcServer32\
"(Default)" = C:\WINNT\System32\undefinedrandomundefined.dll
"ThreadingModel" = ApartmentHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\ShellServiceObjectDelayLoad\
"Web Event Logger" = {79FB9088-19CE-715D-D85A-216290C5B738}
-
Trojan modifies Internet Explorer to log passwords on websites by modifying the registry -
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"FormSuggest Passwords" = yes AutoSuggest (extra data)
"FormSuggest PW Ask" = yes AutoSuggest (extra data)
-
Trojan may store email login credentials and other data into small files on the system -
c:\WINNT\system32\Neh32.dat
c:\WINNT\system32\Neh32.sys
c:\WINNT\system32\Neh32.vxd
-
Trojan may attempt to connect to a Russian website 'www.royalpank.ru' using TCP port 80
-
Once connected, the Trojan will submit data via a server side script detailing the IP address of the infected system as well as the TCP listening port used by the Trojan
Recommended Action
- Block access to these web addresses -
bancoline.hotmail.ru
www.royalpank.ru
flock0uhs.newmail.ru
nss.newmail.ru
82.146.35.45
82.146.56.242
212.16.0.1
212.48.140.151
212.48.140.155
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |