Virus

W32/Maz.A

Analysis

  • Threat is 32bit and has a UPX compressed file size of 4096 bytes
  • This threat may have been mass-mailed as spam from a hacker or group of hackers
  • When executed, this threat will modify the registry by creating keys and modifying them to load the threat at Windows startup -

    Keys created:
    HKEY_CLASSES_ROOT\.inr
    HKEY_CLASSES_ROOT\.inr\5Nzg1mOWKzFnuvu6

    Windows startup key modification:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    .inr\5Nzg1mOWKzFnuvu6 = undefinedP\undefinedF

    Where undefinedP is the path and undefinedF is the file name location of the threat when it was executed

  • This threat will attempt to connect with the IP address 66.150.1.145 (a Hypernet.net account) and download a remote access Trojan (RAT) binary, then execute it
  • The downloaded Trojan will then copy itself to the Windows\System folder as "MSREXE.EXE" and also modify the registry to load at Windows startup
  • The downloader threat contains these strings -

    Hello, world Inor

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option