This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally to the System32 folder -
The Trojan then registers itself to run at Windows startup via a registry key modification like this one -
Systems = c:\winnt\system32\syshelp.exe
The Trojan tries to download an executable file from "220.127.116.11" named "cy_0099_manual". At the time of this writing, the file was not available. The IP and subsequently full URL is registered as "Malware" in the FortiGate web filtering service.
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option