W32/Winpup.B!tr
Analysis
- Trojan is 32 bit with a file size of 65,536
- Trojan may be introduced to the system from an
installation program downloaded from the Internet
from a malicious web site
- If Trojan is run, it may copy itself to the System
folder by two file names -
pup.exe
sswchxm.exe
-
The Trojan will then register the existing file MSINET.OCX to run as a server and assist with Internet connections by the Trojan
-
The registry could be modified to load the Trojan at each Windows logon -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
sswchxm = C:\WINNT\System32\sswchxm.exe
-
The Trojan will load at Windows logon, and periodically serve porn related web pages to the desktop using Internet Explorer
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using FortiGate manager, add the domain "retardedinternetgeek.com"
to the list of blocked URLs as it is a known host
to this malicious file and others
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |