W32/Tiny.BW!tr.dldr
Analysis
- Copies itself to the following folders using a random filename:
- System folder
- C:\Documents and Settings\User\Local Settings\Application Data
Autostart Mechanism
- Adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note: [Random] refers to the random filename of the copy of this trojan.
[Random] = "undefinedSYSTEMundefined\[Random]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
[Random] = "C:\Documents and Settings\User\Local Settings\Application Data\[Random]"
Backdoor and/or Trojan Behavior
- Attempts to download files from the following URL:
http://ad.el{REMOVED}.com/BN/45aTq2V13X
This site is unavailable as of this writing.
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |