W32/Small.QW!tr
Analysis
W32/Small.QW-tr is a Trojan, when executed downloads additional files into the computer system.
Without the user knowing, this Trojan installs the DLMax application, which is detected as "BHO/DLMax." One of the files from this application is "Spike.exe" which sends information to http://example.com.
Then, this Trojan downloads another file "duad.exe" from abetterinternet.com. This file is moved and renamed to C:\WinNT\System32\mdazhmcj.exe, and detected as W32/Mdashmsg-tr. A registry entry is inserted to auto run this file at system startup
HKEY_LOCAL_MACHINE\System\Microsoft\Windows\CurrentVersion\Run
mdazhmcj = c:\winnt\system32\mdazhmcj.exe
Next, this Trojan downloads and installs Farmmext application, which is detected as "Download/Stubby.C"
In some cases, this Trojan downloads and installs Zserv application, which is detected as "W32/Agent.BP-bdr"
This Trojan is related to Adware/Betterinternet.
Recommended Action
- FortiGate systems:
check the main screen using the web interface to ensure
the latest AV/NIDS database has been downloaded and installed
-- if required, enable the "Allow Push Update"
option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |