Trojan downloads adware components from numerous web addresses including these -

The Sectho.C Trojan connects with multiple web addresses in an attempt to deliver a cocktail of adware components. Many of these components when run will adjust the registry to load at next Windows startup.

Loading At Windows Startup
If the Trojan is run, it may install itself to the Windows folder and modify the registry to auto-run at next Windows startup as in this example -

"stcloader" = C:\WINNT\System32\stcloader.exe

The file "stcloader.exe" runs as a process in memory. It persistently contacts various websites and downloads executable files - these executable files deliver ad content to the compromised system. Below is a list of possible auto-run entries created as a result of downloading and running adware components of this Trojan -

"TB_setup" = tb_setup.exe /dcheck
"version" = C:\WINNT\System32\manage.exe
"WinEssential" = C:\WINNT\System32\keyword.exe
"ClrSchLoader" = C:\Program Files\ClearSearch\Loader.exe
"msbb" = C:\Program Files\STC\msbb.exe
"RunDLL" = rundll32.exe "C:\WINNT\System32\bridge.dll",Load
"SAHAgent" = C:\WINNT\System32\SahAgent.exe
"slmss" = C:\Program Files\Common Files\slmss\slmss.exe
"SQConfigChecker" = C:\Program Files\Sqwire\cc.exe
"SQUpdatesChecker" = C:\Program Files\Sqwire\uc.exe

Web Delivery Of Adware Components
The Trojan first downloads an adware component from as "stcloader.exe" and executes it. This adware application then begins a steady process of connecting various websites and downloading, and running, executable files. This is done without the user's consent, with the exception of one dialogue box asking if the user would like to install something from "The Good Download Corp.".

The Trojan uses a simple GET request to retrieve binary files stored on web servers related to pop-up ad delivery. Once the binary is retrieved, it is then executed, which in many cases installs the downloaded component as an Internet "browser helper" object.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, add these web addresses to the URL block section -