Virus

W32/Small.AWA!tr

Analysis

This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally to the System32 folder -

c:\WINNT\system32\syshelp.exe

The Trojan then registers itself to run at Windows startup via a registry key modification like this one -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Systems = c:\winnt\system32\syshelp.exe

The Trojan tries to download an executable file from "195.225.177.33" named "cy_0099_manual". At the time of this writing, the file was not available. The IP and subsequently full URL is registered as "Malware" in the FortiGate web filtering service.

Recommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option