W32/Shiotob.LE!tr

Analysis

W32/Shiotob.LE!tr is a generic detection for a type of trojan that drops malicious files onto the compromised computer and establishes unwanted network activities. Since this is a generic detection, malware that are detected as W32/Shiotob.LE!tr may have varying behavior.
Below are examples of some of these behaviors:

• It drops a copy of itself with a randomized name in the All Users' Profile folder.


• It creates the following registry entry to automatically execute its dropped copy:
  
  • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • value: [Random]
  • data: undefinedAllUsersProfileundefined\[Random].exe


• It attempts to connect to certain sites, such as:
  
  • ddn{Removed}11.ru
  • dns{Removed}s22.ru


• The original copy of the malware is deleted after execution.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.