W32/Systrim.B!tr
Analysis
Specifics
This Trojan steals logon information and sends it to a pre-configured email address. This Trojan loads at Windows startup and monitors Windows logon instances then stores the data locally. This information is then sent using SMTP commands to the email address 'sha-jiang@163.net'.
Loading at Windows startup
The Trojan registers itself to load at each Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"svsinet" = C:\WINNT\System32\svsinet.exe
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |