W32/Ranky.W !tr
Analysis
Specifics
This 32-bit threat has a size of 120,605 bytes when
upx compressed and a size of 165,149 bytes when uncompressed.
Upon execution, it drops the following files in the
Windows system directory:
- fecwvncd.exe (49,488 bytes)
- gqgqet.exe (49,488 bytes)
- sdwd.exe (23,360 bytes)
If the Windows system directory is not C:\WINNT\SYSTEM32,
the worm may create the necessary directories and drop
the two files "gqgqet.exe" and "sdwd.exe"
into the directory SYSTEM32.
The processes named "fecwvncd.exe" and "sdwd.exe"
can be observed in Windows Task Manager. The worm generates
network traffic to connect to the IP address 66.118.142.125
(aka quebecbdsm.com) on TCP port 65475.
Loading At Windows Startup
The worm modifies the registry to run at each Windows
startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Msn Home = "C:\WINNT\SYSTEM32\sdwd.exe"
Monitor SynManager = "undefinedWindirundefined\fecwvncd.exe"
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Use the Fortigate unit to add the IP address 66.118.142.125 to the list of URLs to block