Alias/es

Detection Availability

Visible Symptoms

• Possible firewall alert that the file "irun4.exe" is attempting to access the Internet
  
  
• Creation of these files into the System32 folder -

  system.exe - 25,600 bytes
  irun4.exe - 17,408 bytes
  iinj4.exe - 1,536
  
  
  

Detailed Analysis

Specifics
Trojan is 32-bit and is a variant of the Mitglieder proxy Trojan. The Mitglieder Trojan and the Bagle virus families share some code and structure. This Trojan functions as an SMTP mail relay on a compromised system.

Loading At Windows Startup
If the Trojan is run, it will copy itself into the System32 folder -

C:\WINNT\System32\WINDOW.exe

The Trojan will register to auto run at next Windows startup as in this example -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"ssgrate" = C:\WINNT\System32\irun4.exe

SMTP Proxy/Remote Access Capability
This Trojan will bind to randomly selected TCP port and await connection from a malicious user. It would be possible to telnet to a compromised system and issue SMTP commands and carry out SMTP delivery via the Trojan's SMTP proxy code.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option