Trojan.Win32.Small.ev

Technical Details

This Trojan is a Windows PE EXE file 40448 bytes in size.

Installation

Once launched, the Trojan creates the following files in the Windows system and root directories:

%System%\intell32.exe
%System%\oleext.dll
%System%\oleext32.dll
%System%\wppp.html
%Windir%\uninstIU.exe

It then registers itself in the system registry, ensuring that the Trojan file will be launched each times Windows is rebooted on the victim machine:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"intell32.exe" = "%System%\intell32.exe"

The Trojan also creates the following registry keys:

[HKCR\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update]

Payload

The Trojan will change the desktop configuration of the infected computer.

Trojan.Win32.Small.ev changes the following system registry key values in modify the background colour, wallpaper, and other desktop parameters.

[HKCU\Control Panel\Colors]
"Background" = "0 0 0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage" = "1"
"NoDispBackgroundPage" = "1"

[HKCU\Control Panel\Desktop]
"WallpaperStyle" = "0"
"Wallpaper" = "%SystemRoot%\%System%\wppp.html" 

The Trojan causes the following wallpaper to be displayed:

It creates the following icon in the system tree:

When the mouse is passed over the icon shown above, the following message will be displayed:

Your computer is infected.

The Trojan will also cause the following message to be displayed at random intervals:

If the user double-clicks on the icon or a link created on the desktop, the Trojan will open the browser at http://www.psgu***.com/?aff=**&sub=0 and may download other files from this site.