This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally to the System32 folder -


The Trojan then registers itself to run at Windows startup via a registry key modification like this one -

Systems = c:\winnt\system32\syshelp.exe

The Trojan tries to download an executable file from "" named "cy_0099_manual". At the time of this writing, the file was not available. The IP and subsequently full URL is registered as "Malware" in the FortiGate web filtering service.

Recommended Action

    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option