Virus

W32/Winpup.B!tr

Analysis

  • Trojan is 32 bit with a file size of 65,536
  • Trojan may be introduced to the system from an installation program downloaded from the Internet from a malicious web site
  • If Trojan is run, it may copy itself to the System folder by two file names -

    pup.exe
    sswchxm.exe

  • The Trojan will then register the existing file MSINET.OCX to run as a server and assist with Internet connections by the Trojan

  • The registry could be modified to load the Trojan at each Windows logon -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    sswchxm = C:\WINNT\System32\sswchxm.exe

  • The Trojan will load at Windows logon, and periodically serve porn related web pages to the desktop using Internet Explorer

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using FortiGate manager, add the domain "retardedinternetgeek.com" to the list of blocked URLs as it is a known host to this malicious file and others