W32/Small.AWA!tr
Analysis
This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally to the System32 folder -
c:\WINNT\system32\syshelp.exe
The Trojan then registers itself to run at Windows startup via a registry key modification like this one -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Systems = c:\winnt\system32\syshelp.exe
The Trojan tries to download an executable file from "195.225.177.33" named "cy_0099_manual". At the time of this writing, the file was not available. The IP and subsequently full URL is registered as "Malware" in the FortiGate web filtering service.
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |