W32/Agent.HD!tr

Analysis

This Trojan installs itself as a file named "iejava.exe" onto the local system in the undefinedSystemundefined folder. It tries to notify (presumably) the Trojan author using a server-side script that uploads the IP address and TCP port in use by the Trojan. The TCP port used by the Trojan is selected at random.

Loading at Windows startup
The Trojan installs itself to the undefinedSystemundefined folder and adds an entry into the registry to load the Trojan -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"IE Java Update" = C:\WINNT\System32\iejava.exe

Server Connection Attempts
The Trojan tries to connect to two domains and run server-side scripts to upload to a log file the IP address and TCP port used. The domains were not reachable at the time of this writing. The URLs involved are the following -

http://ole.reallynice.info/sysupdate.php/?p=
http://user.reallynice.info/sysupdate12.php/?p=
http://kernel.reallynice.info/sysupdate12.php/?p=
http://win32.reallynice.info/sysupdate12.php/?p=
http://os.reallynice.info/sysupdate12.php/?p=
http://win32.simpleyetgood.com/sysupdate4f.php/?p=
http://os.simpleyetgood.com/syswinupdate33.php/?p=
http://ole.simpleyetgood.com/sysupdate2a.php/?p=
http://msp.simpleyetgood.com/sysosupdate1.php/?p=
http://msup.simpleyetgood.com/sysoleupdate.php/?p=

Miscellaneous
Using a command line tool courtesy of Sysinternals.com, the open port in use by the Trojan can be detected easily -

Recommended Action

FortiGate systems:

• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
  

FortiClient systems:

• Quarantine/Delete infected files detected and replace infected files with clean backup copies