This Trojan downloads components that deliver porn to the compromised system. The related files installed are

logon.exe - 69,632 bytes
abox.exe - 36,864 bytes

These files are commonly installed to the Windows folder, and may load via the system registry from the common RUN location.

FTP transfer
When the Trojan is first run, it connects with an IP address using the system's own file transfer utility called FTP.EXE. The Trojan first writes an FTP script file into the TEMP folder named "Abox.ftp" and then runs FTP passing the script as a parameter. The script instructs FTP to retrieve files by their remote name and copy them to the Windows folder -

get ABox.exe C:\WINNT\ABox.exe
get logon.exe C:\WINNT\logon.exe
get ABox.bup C:\WINNT\ABox.bup

The Windows folder name is determined before the FTP script is created. After all files are retrieved, both executables are run. The file "ABox.bup" contains update information for the Trojan.

The file "abox.exe" is referenced as "Fun Box" by the author.

Recommended Action

    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option