W32/Sdexe!tr

description-logoAnalysis

  • Trojan is 32 bit with a compressed file size of 66,056 bytes, and was coded using Visual C++
  • If Trojan is run, it may first delete any copy which may exist in the undefinedSystemundefined folder named "sdexe.exe", and then copies itself to that folder by the same name
  • Next the Trojan may modify the registry to auto run at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    Mendware App = sdexe.exe

  • Trojan contains instructions to read Internet cookie data

  • Trojan communicates with the web IP address 66.150.193.111 using a server-side script to submit information

  • Trojan supports remote command instructions to update itself

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, add the IP address 66.150.193.111 in the URL block list

Telemetry logoTelemetry