This threat combines vulnerabilities and exploits in order to run its code. It has been speculated that several websites were compromised and the malicious code was uploaded to these websites.
One of the scripts uses an Object Data tag to download and run 'help.chm'. This compiled html file extracts a binary "helper.exe". The file "helper.exe" may download Adware components. In addition, the Internet browser may be directed or redirected to a web page, and the start page may be modified.
The threat uses a combination of misdirection, encoded scripting, and a "msits/mhtml" vulnerability in order to execute code on the target system.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option