W32/Spybot.S!tr
Analysis
- Threat is 32 bit with a compressed file size of
30,720 bytes
- If the Trojan is run, it will copy itself to the
undefinedWindowsundefined\System32 folder and create an additional
DLL file -
C:\WINNT\system32\nvcpl.exe (30,720 bytes)
C:\WINNT\system32\rswpscfg.dll (59,392 bytes)
-
The threat will attempt to connect to the IRC server keksovat.pp.ru using TCP port 9991 and join the channel "zomb-mail"
-
While connected to the IRC server, the bot will await instructions from a hacker or group of hackers
-
The Trojan may also bind to TCP port 31031 with the IP address 65.110.52.120
-
The threat will auto run at Windows startup because of a registry modification -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"NvCpl32Deamon" = nvcpl.exe (extra data)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
"NvCpl32Deamon" = nvcpl.exe (extra data)
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
- Add these web addresses to the block list in Fortigate
-
65.110.52.120
keksovat.pp.ru
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |