Trojan-Downloader.Win32.Small.ccm

Technical Details

This Trojan downloads other programs via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. The Trojan is a Windows PE EXE file. The file is approximately 9KB in size. It is packed using PECompact. The unpacked file is approximately 22KB in size.

Installation

When launched, the Trojan copies its executable file to the Windows system directory:

%System%\q<random_number>q.exe

The Trojan also extracts the following file from its body:

%System%\z<random_number>z.dll

In order to ensure that the Trojan is launched automatically each time Windows is restarted, the Trojan registers its executable file in the system registry:

The original Trojan executable file is then deleted.

Payload

The Trojan creates the following system registry key parameters:

%System%\z<random_number>z.dll loads itself to all active processes in the system, and will delete itself instantly if the name of the process is not iexplore.exe.

Once loaded into iexplore.exe, the Trojan component will:

• Open the URL specified in the following registry key parameter:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
  irf = http://amsterdam.9966.org/**/loads/

• Download a file from the link in the following registry key parameter:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
  xfv = http://www.original-ie-cards.com/loads/**/svchost.exe

• It will save this file to the Windows system directory as:

  %System%\a<random_number>a.exe 

  The file will then be launched for execution.

  (At the moment of writing, this link was not working.)

The Trojan also creates the following registry key parameter, and save its configuration to this key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
38fh

The Trojan scans the system for windows with the following titles:

Warning: Components Have Changed
Warning: some components changed
Hidden Process Requests Network Access
Allow all activities for this application

It will simulate a mouse click on "OK" or "Unblock" in these windows.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process and iexplore.exe.
2. Delete the following files:

   %System%\q<random_number>q.exe
   %System%\z<random_number>z.dll
   %System%\a<random_number>a.exe

3. Delete the following system registry key parameter:
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "tiwc" = "%System%\q<random_number>q.exe"
4. Delete the following system registry key parameters:

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
   xfv
   irf
   38fh

5. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).