- Upon execution it drops the following files in the Temporary folder:
- It may download an executable file, then save it with a randomized file name to a newly created folder, also with a randomized name. At the time of this writing, the downloaded file can also be detected as W32/Waski.A!tr.
- Another downloaded file may exist in the following folder:
- undefinedUserProfileundefined\Local Settings\Temporary Internet Files\Content.IE5\360.exe
- The following registry modifications are applied:
This registry entry contains encrypted data, such as "SIeOiEUL9PURFbh7Ljadcpo2CiU65gR0O9A=".
[RandomFileName] = ""undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe""
This registry entry enables the downloaded file to be automatically executed every time the infected user logs on.
- This malware has been observed to connect to remote sites with the following details:
- This malware injects itself into the Windows Explorer process.
- It disguises itself by using the Adobe PDF icon.
- The original malware sample is deleted after execution.
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.