W32/Sdexe!tr
Analysis
- Trojan is 32 bit with a compressed file size of
66,056 bytes, and was coded using Visual C++
- If Trojan is run, it may first delete any copy
which may exist in the undefinedSystemundefined folder named "sdexe.exe",
and then copies itself to that folder by the same
name
- Next the Trojan may modify the registry to auto
run at next Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Mendware App = sdexe.exe
-
Trojan contains instructions to read Internet cookie data
-
Trojan communicates with the web IP address 66.150.193.111 using a server-side script to submit information
-
Trojan supports remote command instructions to update itself
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, add the IP address 66.150.193.111 in the URL block list