Virus

W32/Traf.A!worm

Analysis


Specifics
This malware is 32-bit with a packed file size of 18,544. This threat sends a Denial of Service attack against a single IP address - 218.5.76.168. This IP address resolves to an Asia hosted system. This malware has no other purpose than to attempt to cause a DoS condition against the target IP.


Loading At Windows Startup
If this Trojan is run, it will copy itself to the System/System32 folder as "Kernel32.exe" and will run immediately. The Trojan modifies the registry to auto-run the Trojan at each Windows startup -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Kernel32" = Kernel32.exe

DoS Payload
The Trojan will consistently attempt to send SYN packets to the target IP address 218.5.76.168. The amount of packets sent could cause a Denial of Service event against the target system.


Miscellaneous
This threat has the string "DDoSer" in its code.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option