Virus

W32/Small.DHT!tr.dldr

Analysis

  • The malware attempts to connect to the following IP Address:
  • 85.255.117.157
    66.235.181.40
    217.107.217.184
    85.255.117.155
    64.111.210.10
    67.29.139.220
    216.130.174.93
    209.160.64.135

  • The malware drops the following files:
  • undefinedUser Folderundefined\Local Settings\Temp\qvxt1.game
    undefinedUser Folderundefined\Local Settings\Temp\qvxt2.game detected as W32/Dloader.F!tr
    undefinedUser Folderundefined\Local Settings\Temp\qvxt3.game detected as W32/Dloader.F!tr
    undefinedUser Folderundefined\Local Settings\Temp\qvxt4.game detected as W32/FPUJunk!tr
    undefinedSystemdirundefined\qvxgamet4.exe detected as W32/FPUJunk!tr
    undefinedSystemdirundefined\qvxgamet3.exe detected as W32/Dloader.F!tr
    undefinedSystemdirundefined\qvxgamet2.exe detected as W32/Dloader.F!tr
    file qvxt1.game is a none malicious HTML file
  • As a means of its AutoStart, the malware applies the following registry modifications:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spfhlp.sys
    which will make the malware execute as a service.

    Recommended Action


      FortiGate systems:
    • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the " Allow Push Update" option

    • FortiClient systems:

    • Quarantine/Delete infected files detected and replace infected files with clean backup copies