• Threat is 32bit and has a UPX compressed file size of 4096 bytes
  • This threat may have been mass-mailed as spam from a hacker or group of hackers
  • When executed, this threat will modify the registry by creating keys and modifying them to load the threat at Windows startup -

    Keys created:

    Windows startup key modification:
    .inr\5Nzg1mOWKzFnuvu6 = undefinedP\undefinedF

    Where undefinedP is the path and undefinedF is the file name location of the threat when it was executed

  • This threat will attempt to connect with the IP address (a account) and download a remote access Trojan (RAT) binary, then execute it
  • The downloaded Trojan will then copy itself to the Windows\System folder as "MSREXE.EXE" and also modify the registry to load at Windows startup
  • The downloader threat contains these strings -

    Hello, world Inor

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option