Threat Encyclopedia



  • Deletes itself from the current folder.

  • Adds the following registry:
    • key:SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • value:MsIMMs32
    • data: undefinedwindowsundefined\MsIMMs32.exe
  • Drops the file MsIMMs32.exe  into the Windows folder.

  • Drops the file MsIMMs32.dll  into the System folder, then injects it into the process of explorer.exe.

  • Searches for the client window of PoTianYiJian, then steals the accounts and passwords of this online software.

  • The stolen information is sent to the following URL:
    • http://www.{REMOVED}.com/xinpotian/lin.asp

    Recommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.