This Trojan creates new shares onto a compromised system. The shares are named 'RPC$' and 'USR$'. This Trojan may be installed from a dropper, or other combination malware.
The Trojan will create output files which contain sensitive configuration details. These are the output files created -
The files 'msmgmt.dll' and 'png00002.jpg' may contain the following types of data -
- environment variables in memory
- listing of currently running services
- directory listing of root files, program files,
and their ownership details
- other log file entries indicating if commands initiated at the MS-DOS level were successful or not
New Shares Created
The Trojan may add two additional accounts to the system by these names -
The system registry is updated to reflect how these shares are used -
"RPC$" = "CSCFlags=0 MaxUses=429496795 Path=c:\ Permissions=63
Remark=Vyhrazeno systemu Windows Type=0"
"USR$" = "CSCFlags=0 MaxUses=429496795 Path=undefineduser profile folderundefined
Permissions=63 Remark=Vychozi sdileni uzivatele Type=0
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option