virus logo Virus

W32/Small.BQ!tr

description-logoAnalysis

This threat was spammed in an email message as a hyperlink. Users that clicked on the hyperlink, an encoded HTML file was downloaded and run. This encoded HTML file retrieved an additional .CHM file from '209.61.149.77'. The .CHM file uses a codebase exploit in order to retrieve and execute a binary file named "svchost.exe".
The file "svchost.exe" is a remote access Trojan that sends notification of its installation to a server-side PHP script; the server is located at the IP 209.51.149.77. The script captures submitted data into a log file for a malicious user to browse - the information contains information related to the compromised system such as machine name, user name and other information.
This remote access Trojan is a variant of "Delf".

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

    • Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extended
    FortiClient
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2024-04-15 92.03397
    2024-02-25 92.01894
    ID 6553
    Released Oct 06, 2004
    Description
    Updated    		 Nov 15, 2004
    Aliases HTML/ObjCode@exp [F-Prot], JS/Mht.F [F-Prot], Trojan.Win32.Small.bq [KAV], W32/Delf.DU@bd [F-Prot], W32/Small.BQ!tr
    Platform Profile Win32 file format / PE 32 bit