W32/Small.AWA!tr

description-logoAnalysis

This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally to the System32 folder -

c:\WINNT\system32\syshelp.exe

The Trojan then registers itself to run at Windows startup via a registry key modification like this one -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Systems = c:\winnt\system32\syshelp.exe

The Trojan tries to download an executable file from "195.225.177.33" named "cy_0099_manual". At the time of this writing, the file was not available. The IP and subsequently full URL is registered as "Malware" in the FortiGate web filtering service.

recommended-action-logoRecommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-10-22 72.51600 Sig Updated
2019-08-27 71.17600 Sig Updated
2019-07-23 70.18200 Sig Updated
2019-07-21 70.15100 Sig Updated