Trojan-Downloader.Win32.Small.yx

Technical Details

This Trojan program downloads files via the Internet without the knowledge or consent of the user.

The Trojan itself is a Windows PE EXE file approximately 3KB in size, packed using FSG. The unpacked file is approximately 12KB in size.

It downloads the following files from the server:

dktibs.exe
mstask1.exe
mstask2.exe
mstask3.exe
systime.exe
test
toolbar.exe

The Trojan then copies itself to the Windows system and root directories and launches itself for execution.

It also changes the "%System%\drivers\etc\hosts" file by appending the text below, blocking access to these sites.

127.0.0.3 aaasexypics.com
127.0.0.3 allforadult.com
127.0.0.3 autoescrowpay.com
127.0.0.3 awmdabest.com
127.0.0.3 counter.sexmaniack.com
127.0.0.3 iframe.biz
127.0.0.3 newiframe.biz
127.0.0.3 n-glx.s-redirect.com
127.0.0.3 pizdato.biz
127.0.0.3 sexfiles.nu
127.0.0.3 vesbiz.biz
127.0.0.3 virgin-tgp.net
127.0.0.3 www.aaasexypics.com
127.0.0.3 www.allforadult.com
127.0.0.3 www.autoescrowpay.com
127.0.0.3 www.awmdabest.com
127.0.0.3 www.iframe.biz
127.0.0.3 www.newiframe.biz
127.0.0.3 www.pizdato.biz
127.0.0.3 www.sexfiles.nu
127.0.0.3 www.vesbiz.biz
127.0.0.3 www.virgin-tgp.net
127.0.0.3 x.full-tgp.net

Small.yx terminates processes where the names contain the text strings listed below:

actalert.exe 
alchem.exe 
bargains.exe 
bdl74125.exe 
bitmap.tmp 
exdl.exe 
exploit.exe 
file.exe 
fnnmqi.exe 
fucker.exe 
host32.exe 
iinstall.exe 
Installer2.exe 
intron.exe 
intronet.exe 
ir.exe 
istsvc.exe 
loadclean.exe 
lpt.exe 
msxmidi.exe 
optimize.exe 
PEPEmsPE.exe 
powerscan.exe 
printer.exe 
printer32.exe 
services.exe 
sidefind.exe 
s-PEPE.exe 
telnet.exe 
teur.exe 
ttgkirnl.exe 
twink64.exe 
usb.exe 
Winad.exe 
WinClt.exe 
winmm64.exe 
ykyrtws.exe