W32/Small.DHT!tr.dldr

Analysis

The malware attempts to connect to the following IP Address:

85.255.117.157
66.235.181.40
217.107.217.184
85.255.117.155
64.111.210.10
67.29.139.220
216.130.174.93
209.160.64.135

The malware drops the following files:

undefinedUser Folderundefined\Local Settings\Temp\qvxt1.game
undefinedUser Folderundefined\Local Settings\Temp\qvxt2.game detected as W32/Dloader.F!tr
undefinedUser Folderundefined\Local Settings\Temp\qvxt3.game detected as W32/Dloader.F!tr
undefinedUser Folderundefined\Local Settings\Temp\qvxt4.game detected as W32/FPUJunk!tr
undefinedSystemdirundefined\qvxgamet4.exe detected as W32/FPUJunk!tr
undefinedSystemdirundefined\qvxgamet3.exe detected as W32/Dloader.F!tr
undefinedSystemdirundefined\qvxgamet2.exe detected as W32/Dloader.F!tr
file qvxt1.game is a none malicious HTML file

As a means of its AutoStart, the malware applies the following registry modifications:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spfhlp.sys
which will make the malware execute as a service.

Recommended Action

FortiGate systems:

• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the " Allow Push Update" option
  

FortiClient systems:

• Quarantine/Delete infected files detected and replace infected files with clean backup copies