Virus

W32/Resumdor.B!tr

Analysis


Specifics
This Trojan is 32-bit with a packed file size of 32,256 bytes. Trojan may contact an external web site and send information to a server side script. If the Trojan is run, it may copy itself to the Windows\System folder as "ccmod32.exe", and into the Windows folder as "netddt.exe". The Trojan contains key logging instructions, writing critical data to a temporary data file.


Loading at Windows Startup
If the Trojan is run, it could modify the registry to auto run at next Windows Startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\info
"(Default)" =
"ver" = 1.6k3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"(Default)" = CMMOD32.EXE

The Trojan may also load from another file and location -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = explorer.exe NETDDT.EXE


Malicious User Notification
At some point the Trojan may attempt to contact a hard-coded website and send data using a server-side script. The information could be data such as the IP address of the compromised system and other logon credential data.


Miscellaneous
Trojan contains these strings in its body -

1.6k3
kRESUMEk3


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, add this URL to the URL blocking list

    www27.brinkster.com