This threat was spammed in an email message as a hyperlink. Users that clicked on the hyperlink, an encoded HTML file was downloaded and run. This encoded HTML file retrieved an additional .CHM file from ''. The .CHM file uses a codebase exploit in order to retrieve and execute a binary file named "svchost.exe".
The file "svchost.exe" is a remote access Trojan that sends notification of its installation to a server-side PHP script; the server is located at the IP The script captures submitted data into a log file for a malicious user to browse - the information contains information related to the compromised system such as machine name, user name and other information.
This remote access Trojan is a variant of "Delf".

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option