W32/Maz.A
Analysis
- Threat is 32bit and has a UPX compressed file size
of 4096 bytes
- This threat may have been mass-mailed as spam from
a hacker or group of hackers
- When executed, this threat will modify the registry
by creating keys and modifying them to load the threat
at Windows startup -
Keys created:
HKEY_CLASSES_ROOT\.inr
HKEY_CLASSES_ROOT\.inr\5Nzg1mOWKzFnuvu6Windows startup key modification:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
.inr\5Nzg1mOWKzFnuvu6 = undefinedP\undefinedFWhere undefinedP is the path and undefinedF is the file name location of the threat when it was executed
- This threat will attempt to connect with the IP
address 66.150.1.145 (a Hypernet.net account) and
download a remote access Trojan (RAT) binary, then
execute it
- The downloaded Trojan will then copy itself to the
Windows\System folder as "MSREXE.EXE" and
also modify the registry to load at Windows startup
- The downloader threat contains these strings -
Hello, world Inor
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option