There are a number of strings with references to "lunar", "moon", "planets" that appear to be used as part of the C&C channel.
Looking at web logs it would appear that the malware attempts to spread to other systems by probing ports .
Before seeing the first HNAP probe I can see what appears to be SSL attempts to connect to those ports using TLS/SSL. X - - [11/Feb/ -0800] "\x80w\x01\x03\x01" 400 294 "-" "-" "-" "-" "-" "37382" 76.14. X - - [11/Feb/ -0800] "GET /HNAP1/ HTTP/1.1" 404 225 " "Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]" "text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8" "en-US,en;q=0.5" "gzip, deflate" "37384" So the binding to openssl may be for command and control but it also may be there to allow the malware to try to talk to routers that have the SSL enabled for their remove management web connection.
In order to complete the connection process you must open a web browser.
The browser will then be automatically redirected to NMT's wireless login page.
I suspect a firmware upgrade probably fixes that behaviour. If you want to accept both computer credentials and user credentials you'll need to name both "Domain Comptuers" and "Domain Users" in your policy.