W32/Ranky.W !tr

Analysis

Specifics
This 32-bit threat has a size of 120,605 bytes when upx compressed and a size of 165,149 bytes when uncompressed. Upon execution, it drops the following files in the Windows system directory:
- fecwvncd.exe (49,488 bytes)
- gqgqet.exe (49,488 bytes)
- sdwd.exe (23,360 bytes)

If the Windows system directory is not C:\WINNT\SYSTEM32, the worm may create the necessary directories and drop the two files "gqgqet.exe" and "sdwd.exe" into the directory SYSTEM32.
The processes named "fecwvncd.exe" and "sdwd.exe" can be observed in Windows Task Manager. The worm generates network traffic to connect to the IP address 66.118.142.125 (aka quebecbdsm.com) on TCP port 65475.
Loading At Windows Startup
The worm modifies the registry to run at each Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Msn Home = "C:\WINNT\SYSTEM32\sdwd.exe"
Monitor SynManager = "undefinedWindirundefined\fecwvncd.exe"

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
• Use the Fortigate unit to add the IP address 66.118.142.125 to the list of URLs to block