Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 3


8 July the first removal of BackDoor-FGT happened just after midnight.  We have had 966 so far.  The folders the file is found in are dated over a month ago.  Once removed, they do not come back, so this has hit quite a few PCs.  My guess is it can work like a worm to infect PCs and it was just a newly released .dat file that could identify the malware.

Has anyone else encountered this malware?

Are your experiences similar?

It does not seem to have activated, just been located in many PCs.


2 Replies

Re: BackDoor-FGT

I've seen this as well.  We noticed it initially about 1.5 months ago.  We submitted sample to McAfee a month ago, Extra.dat was tailored for a unique hash though, every file had a different hash so Extra.dat was useless.  The introducation of BackDoor-FGT appears to have cleaned them all.

It appears to be what Symantec and others dub Trojan.Gatak (link), however only limited information on this appears to have made its way online.  First instance, the variant that we saw uses tcp/443 for C&C.  The infected files are googletalk.exe, Skype.exe, and AdVantage.exe all located in %UserProfile%\Application Data\%Foldername%.  Startup registry keys similar to those in the Symantec article were created for each.  C&C IPs are,, and one additional that I don't have documented.  All C&C traffic is clear text over tcp/443.  All C&C servers appear to be compromised web servers.

Any additional information McAfee would be helpful.

Message was edited by: sports_is on 7/13/12 1:35:59 PM CDT
Level 7
Report Inappropriate Content
Message 3 of 3

Re: BackDoor-FGT

On about 7/3/2012, I submitted about 8 files, variously named skype.exe, googletalk.exe, and advantage.exe that I had found on our corporate network.  I also found and submitted several of the actual droppers for the malware named now, Backdoor-FGT.

The C&C traffic may appear to be clear text, but it is encoded.  When this malware originally installs, it makes a copy of the dropper and puts it into an encrypted file with no extension located in the c:\documents and settings\user\application data\microsoft directory in a random named folder ranging from about 3 to 6 characters in length.  The file located in there is the encoded dropper, and is encoded with the same key as the C2 traffic.

I am still revering the code and the traffic, but it was definitely performing Man-in-the-Browser (MITB) attacks on my users attempts to log into their personal banking websites here in the USA.

I'm glad that this submission helped other companies as well.


Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community