This Trojan is 32-bit with a packed file size of 32,256 bytes. Trojan may contact an external web site and send information to a server side script. If the Trojan is run, it may copy itself to the Windows\System folder as "ccmod32.exe", and into the Windows folder as "netddt.exe". The Trojan contains key logging instructions, writing critical data to a temporary data file.
Loading at Windows Startup
If the Trojan is run, it could modify the registry to auto run at next Windows Startup -
"ver" = 1.6k3
"(Default)" = CMMOD32.EXE
The Trojan may also load from another file and location -
"Shell" = explorer.exe NETDDT.EXE
Malicious User Notification
At some point the Trojan may attempt to contact a hard-coded website and send data using a server-side script. The information could be data such as the IP address of the compromised system and other logon credential data.
Trojan contains these strings in its body -
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
- Using the FortiGate manager, add this URL to the
URL blocking list