W32/Maz.A

Analysis

• Threat is 32bit and has a UPX compressed file size of 4096 bytes
  
• This threat may have been mass-mailed as spam from a hacker or group of hackers
  
• When executed, this threat will modify the registry by creating keys and modifying them to load the threat at Windows startup -

  Keys created:
  HKEY_CLASSES_ROOT\.inr
  HKEY_CLASSES_ROOT\.inr\5Nzg1mOWKzFnuvu6

  Windows startup key modification:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run
  .inr\5Nzg1mOWKzFnuvu6 = undefinedP\undefinedF

  Where undefinedP is the path and undefinedF is the file name location of the threat when it was executed

• This threat will attempt to connect with the IP address 66.150.1.145 (a Hypernet.net account) and download a remote access Trojan (RAT) binary, then execute it
  
• The downloaded Trojan will then copy itself to the Windows\System folder as "MSREXE.EXE" and also modify the registry to load at Windows startup
  
• The downloader threat contains these strings -

  Hello, world Inor
  

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option