• Threat is 32bit, with a size 5,664 bytes
  • Threat attempts to connect to Internet sites and download then install components which will allow the infected system to used as a proxy server
  • Once the system is compromised, a hacker or group of hackers could hijack use of the computer to send spam messages or other malicious actions
  • The threat was intentionally mass-mailed to select email addresses posing as a URL and referencing a financial document known as a “heloc” or home equity line of credit
  • Trojan modifies Internet Explorer to log passwords on websites by modifying the registry –
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "FormSuggest Passwords" = yes
    "FormSuggest PW Ask" = yes
  • Trojan may store email login credentials and other data into small files on the system –
  • Trojan may attempt to connect to at least three websites using TCP port 80 –

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option