This Trojan is 32-bit with a packed file size of 32,256 bytes. Trojan may contact an external web site and send information to a server side script. If the Trojan is run, it may copy itself to the Windows\System folder as "ccmod32.exe", and into the Windows folder as "netddt.exe". The Trojan contains key logging instructions, writing critical data to a temporary data file.

Loading at Windows Startup
If the Trojan is run, it could modify the registry to auto run at next Windows Startup -

"(Default)" =
"ver" = 1.6k3
"(Default)" = CMMOD32.EXE

The Trojan may also load from another file and location -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = explorer.exe NETDDT.EXE

Malicious User Notification
At some point the Trojan may attempt to contact a hard-coded website and send data using a server-side script. The information could be data such as the IP address of the compromised system and other logon credential data.

Trojan contains these strings in its body -


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, add this URL to the URL blocking list