This threat is a group of several files, including downloader
Trojans. When a user makes a connection using Internet
Explorer to an offending site, the user is at risk of
having files downloaded automatically to the system, and
having the Internet Explorer start page settings altered.
The concept of the Trojan is to initiate downloading of downloader Trojan components by writing a short HTML file to the target system. The HTML file is loaded into Internet Explorer as a hidden process, and files are ultimately downloaded and run.
The Trojan connects with the IP address 184.108.40.206 in order to download various files and threats, some of them .EXE files and others .DLL files.
The first file in this threat family downloads "rename.exe" from 220.127.116.11, then runs it. This .EXE file then downloads 2 files, System87.dll & win86.exe from the same IP address. The Trojan then runs "Win86.exe" and it downloads "System86.dll".
Finally, this .DLL retrieves "winpop.exe" and executes it. The functionality of "winpop.exe" is to track sites visited by the compromised user.
Loading at Windows Startup
The Trojan may register itself to load at each Windows startup -
WinInit = Win86.exe Win86.exe WINDIR
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
- Add the IP address 18.104.22.168 to the list of URLs to block