Virus

W32/Migmaf

Analysis

  • Trojan is 32bit with a compressed size of 46,080 bytes
  • Trojan is most likely installed by a hacking attempt into the target system, or possibly installed by a Trojan program run accidentally by the user, or installed remotely based on an exploit to gain remote access
  • When Trojan is initiated on the target system, it will run in memory for a time before attempting to connect to the Internet – it will modify the registry to load at Windows startup from its installed location, and possibly by the file named “Wingate.exe” –
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "Login Service"=(path and file name of Trojan)
  • Trojan will run as an Internet proxy such that the infected system acts as a “middle-man” to connect a requesting IP address (possibly the hacker or group of hackers) with a remote IP address
  • Trojan listens on TCP port 80, also used for http requests – the Trojan may make numerous connections with IP addresses in the domains 78.x.x.x, 209.x.x.x and 216.x.x.x, and ns1.liquidacid.org among others