Threat Encyclopedia



  • Copies itself to the System folder as update.exe.
    Registry Modification
  • Adds the following registry entries:
      Configuration Loader = "update.exe"
      Configuration Loader = "update.exe"

    Other Behavior
  • Connects to the one of the following Internet Relay Chat (IRC) servers:

    on one of the following channels:
    • #DRX-ARMY
    • #DRX-ARMY2

    When connected, it listens for commands that allow the remote attacker to perform any of the following actions:
    • Download files
    • Send UPD, ICMP, and SYN packets to specified servers
    • Send information such as the following:
      • CPU type
      • Total RAM
      • Available RAM
      • OS version
      • User name

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry