This Trojan is 32-bit with an UPC packed file size of 292,695 bytes. If the Trojan is run, it will initiate a hidden Internet Explorer process and inject its code into the running process. The Trojan will retrieve binary files from hard-coded websites.
File Download Routine
The Trojan downloads other UPC packed files from domains that fall in the "" domain. This Trojan will get the files from
Where undefinedrandomundefined is a random string. The Trojan performs a DNS query against the name which resolves to the IP address TCP trace utilities indicate the Trojan makes connections with other similar IP addresses -
The downloaded files are in the form of binary files with ".int" extension, such as -
The downloaded files are written to newly created folders on the system. The Trojan may create strangely named folders such as these -
C:\..\All Users\Application Data\admin title delete defy\
C:\..\undefineduser nameundefined\Application Data\JUMP ROAD NOUN\
In these folders, the Trojan will copy the downloaded files as .EXE files. The names of the files are also strange, such as these -
Close amen remote more.exe
hope drv readme.exe
Owns This Vc.exe
Drive bin.exe
Many of the downloaded files are spyware/adware programs.
Loading at Windows startup
The Trojan may register some of the retrieved files to load at Windows startup by adding entries into the registry such as these examples -
"thunkburn" = undefinedpathundefined\Owns This Vc.exe
HKEY_CLASSES_ROOT\CLSID\{undefinedunique CLSIDundefined}
"64535DBE" = 2C0411726CB7B446F792
HKEY_CLASSES_ROOT\CLSID\{undefinedunique CLSIDundefined}\InprocServer32\
"(Default)" = undefinedpathundefined\Drive bin.exe
"ThreadingModel" = Apartment
"DeleteDefySendRoad" = undefinedpathundefined\Thunkfilm.exe
In one "nice" aspect, at least one of the downloaded files has an uninstall routine which can be accessed by the "Add/Remove Software" applet from the control panel -
CurrentVersion\Uninstall\64 slow user\
"DisplayName" = Search Plugin
"UninstallString" = undefinedpathundefined\Owns This Vc.exe -uninstall

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option