VirusW32/Small.QW!tr
Analysis
W32/Small.QW-tr is a Trojan, when executed downloads additional files into the computer system.
Without the user knowing, this Trojan installs the DLMax application, which is detected as "BHO/DLMax." One of the files from this application is "Spike.exe" which sends information to http://example.com.
Then, this Trojan downloads another file "duad.exe" from abetterinternet.com. This file is moved and renamed to C:\WinNT\System32\mdazhmcj.exe, and detected as W32/Mdashmsg-tr. A registry entry is inserted to auto run this file at system startup
HKEY_LOCAL_MACHINE\System\Microsoft\Windows\CurrentVersion\Run
mdazhmcj = c:\winnt\system32\mdazhmcj.exe
Next, this Trojan downloads and installs Farmmext application, which is detected as "Download/Stubby.C"
In some cases, this Trojan downloads and installs Zserv application, which is detected as "W32/Agent.BP-bdr"
This Trojan is related to Adware/Betterinternet.
Recommended Action
- FortiGate systems:
check the main screen using the web interface to ensure
the latest AV/NIDS database has been downloaded and installed
-- if required, enable the "Allow Push Update"
option
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |