W32/Migmaf
Analysis
- Trojan is 32bit with a compressed size of 46,080
bytes
- Trojan is most likely installed by a hacking attempt
into the target system, or possibly installed by a
Trojan program run accidentally by the user, or installed
remotely based on an exploit to gain remote access
- When Trojan is initiated on the target system,
it will run in memory for a time before attempting
to connect to the Internet – it will modify
the registry to load at Windows startup from its installed
location, and possibly by the file named “Wingate.exe”
–
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"Login Service"=(path and file name of Trojan)
- Trojan will run as an Internet proxy such that
the infected system acts as a “middle-man”
to connect a requesting IP address (possibly the hacker
or group of hackers) with a remote IP address
- Trojan listens on TCP port 80, also used for http
requests – the Trojan may make numerous connections
with IP addresses in the domains 78.x.x.x, 209.x.x.x
and 216.x.x.x, and ns1.liquidacid.org among others