Threat Encyclopedia



  • Drops the following files:
    • c:\windows\system32\adirss.exe
    • c:\windows\system32\lnwin.exe
    • c:\windows\system32\wincom32.ini
    • c:\windows\system32\wincom32.sys
  • Tries to access the following URLs:
    • http://81.17{REMOVED}/cp/rule.php?fstt=1&b=72&w=back&name=name_of_the_computer_72&v=1&13
    • http://209.12{REMOVED}/cp/rule.php?fstt=1&b=72&w=back&name=name_of_the_computer_72&v=1&8088
  • Adds the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: lnwin.exe
    • data: c:\windows\system32\lnwin.exe
    • key: HKLM\SYSTEM\ControlSet001\Services\wincom32\ImagePath
    • value:
    • data: c:\windows\system32\lnwin.exe
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    • value: sysinter
    • data: c:\windows\system32\adirss.exe

    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    Telemetry logoTelemetry