• Threat is 32 bit with a compressed file size of 30,720 bytes
  • If the Trojan is run, it will copy itself to the undefinedWindowsundefined\System32 folder and create an additional DLL file -

    C:\WINNT\system32\nvcpl.exe (30,720 bytes)
    C:\WINNT\system32\rswpscfg.dll (59,392 bytes)

  • The threat will attempt to connect to the IRC server using TCP port 9991 and join the channel "zomb-mail"

  • While connected to the IRC server, the bot will await instructions from a hacker or group of hackers

  • The Trojan may also bind to TCP port 31031 with the IP address

  • The threat will auto run at Windows startup because of a registry modification -

    "NvCpl32Deamon" = nvcpl.exe (extra data)

    "NvCpl32Deamon" = nvcpl.exe (extra data)

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Add these web addresses to the block list in Fortigate -