W32/Resumdor.B!tr
Analysis
Specifics
This Trojan is 32-bit with a packed file size of 32,256
bytes. Trojan may contact an external web site and send
information to a server side script. If the Trojan is
run, it may copy itself to the Windows\System folder
as "ccmod32.exe", and into the Windows folder
as "netddt.exe". The Trojan contains key logging
instructions, writing critical data to a temporary data
file.
Loading at Windows Startup
If the Trojan is run, it could modify the registry to
auto run at next Windows Startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\info
"(Default)" =
"ver" = 1.6k3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"(Default)" = CMMOD32.EXE
The Trojan may also load from another file and location -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
"Shell" = explorer.exe NETDDT.EXE
Malicious User Notification
At some point the Trojan may attempt to contact a hard-coded
website and send data using a server-side script. The
information could be data such as the IP address of
the compromised system and other logon credential data.
Miscellaneous
Trojan contains these strings in its body -
1.6k3
kRESUMEk3
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, add this URL to the
URL blocking list
www27.brinkster.com
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |