• It drops a copy of itself as undefinedSystemDirundefined\FlyingMarqu.scr.

  • The malware also attempts connection to "", note that it used "wwp" instead of "www" and thus would fail this name hosts resolve, mirabilis is a known hosts for ICQ, this malware may possibly intend to using this avenue to obtain backdoor remote commands.

  • Recommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.