Virus

W32/Spybot.S!tr

Analysis

  • Threat is 32 bit with a compressed file size of 30,720 bytes
  • If the Trojan is run, it will copy itself to the undefinedWindowsundefined\System32 folder and create an additional DLL file -

    C:\WINNT\system32\nvcpl.exe (30,720 bytes)
    C:\WINNT\system32\rswpscfg.dll (59,392 bytes)

  • The threat will attempt to connect to the IRC server keksovat.pp.ru using TCP port 9991 and join the channel "zomb-mail"

  • While connected to the IRC server, the bot will await instructions from a hacker or group of hackers

  • The Trojan may also bind to TCP port 31031 with the IP address 65.110.52.120

  • The threat will auto run at Windows startup because of a registry modification -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "NvCpl32Deamon" = nvcpl.exe (extra data)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
    "NvCpl32Deamon" = nvcpl.exe (extra data)

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Add these web addresses to the block list in Fortigate -

    65.110.52.120
    keksovat.pp.ru