• Drops the following files:
    • a file with a random name in the same directory as the malware
    • undefinedSystemundefined\wincom32.sys
    • undefinedSystemundefined\wincom32.ini
  • Adds the following registry:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\wincom32\ImagePath
    • value: c:\windows\system32\wincom32.sys
    • data:
  • Has rootkit capabilites, enabling the wincom32.*  files and the added registry key to be hidden.

  • Binds to UDP port 11271 and continuously sends packets to several IP addresses. The file wincom32.ini  contains the encrypted initial list of peers..
  • Recommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.