W32/Traf.A!worm
Analysis
Specifics
This malware is 32-bit with a packed file size of 18,544.
This threat sends a Denial of Service attack against
a single IP address - 218.5.76.168. This IP address
resolves to an Asia hosted system. This malware has
no other purpose than to attempt to cause a DoS condition
against the target IP.
Loading At Windows Startup
If this Trojan is run, it will copy itself to the System/System32
folder as "Kernel32.exe" and will run immediately.
The Trojan modifies the registry to auto-run the Trojan
at each Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Kernel32" = Kernel32.exe
DoS Payload
The Trojan will consistently attempt to send SYN packets
to the target IP address 218.5.76.168. The amount of
packets sent could cause a Denial of Service event against
the target system.
Miscellaneous
This threat has the string "DDoSer" in its
code.
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option