This morning looking through the customer submissions to Sophos (how to submit samples). I saw a sample with the ‘Rule or identity name triggered by this file (if applicable)’ form filled in as HIPS/RegMon-009.
Looking at SophosLabs automated scans of this sample it was a malicious AutoIT file. Running the file through the automated replication rigs here in SophosLabs it also hit the following HIPS rules:
For a description of HIPS rules click here.
I have written exact detection, and disinfection, for this malicious AutoIT file as Troj/Tiotua-U. Enabling HIPS detection on your network could have prevented an infection of this Trojan.