Trojan-Downloader.Win32.Small.cdk

Technical Details

This Trojan will download and launch new versions of itself on the victim machine, without the user’s knowl-edge or consent. It is a Windows PE EXE file. The file is approximately 6KB in size. It is packed using NsPack. The unpacked file is approximately 32KB in size. It is written in Visual C++.

Payload

When launched, the Trojan creates the following system registry key to flag its repeated launch:

(The numbers in the parameter may differ from variant to variant of the Trojan).

The Trojan tracks firewall (Agnitum Outpost, ZoneAlarm, the standard Windows XP SP2 firewall) activity, and gives itself unrestricted access to the Internet. It does this by searching for windows which ask the user whether to block such activity, and causing such activity to be allowed.)

For instance, the Trojan will search for an Agnitum Outpost window with the following heading:

It will tick the box marked "Allow all activities for this application” and press “OK”.

The Trojan also downloads and launches the files listed below for execution on the victim machine:

• http://iframeurl.biz/***/dl.php?adv=adv470 — will be saved as %Windir%\uniq;
• http://iframeurl.biz/***/kl.txt — will be saved as %Windir%\kl.exe;
• http://iframeurl.biz/***/tool2.txt — will be saved as %Windir%\tool2.exe;
• http://iframeurl.biz/***/country.php — will be saved as %Windir%\country.exe;
• http://iframeurl.biz/***/secure32.php — will be saved as %Windir%\secure32.html;
• http://iframeurl.biz/***/paytime.txt — will be saved as %System%\paytime.exe;
• http://iframeurl.biz/***/hosts.txt — will be saved as %Windir%\hosts;
• http://iframeurl.biz/***/dluniq..... — will be saved as %Windir%\uniq.

At the moment of writing, these links were not working.

The Trojan will download the following file to Italian versions of the operating system:

• http://iframeurl.biz/***/it.txt – will be saved as "%Windir%\countrydial.exe"

The Trojan will download the following files to non-Italian version of the operating system, and launch them for execution:

• http://iframeurl.biz/***/tool1.txt — will be saved as %Windir%\tool1.exe;
• http://iframeurl.biz/***/tool3.txt — will be saved as %Windir%\tool3.exe;
• http://iframeurl.biz/***/tool4.txt — will be saved as %Windir%\tool4.exe;
• http://iframeurl.biz/***/tool5.txt — will be saved as %Windir%\tool5.exe;
• http://iframeurl.biz/***/ms1.php — will be saved as %Windir%\ms1.exe.

Removal instructions

1. Use Task Manager to terminate the Trojan process:
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following key from the system registry:
   [HKCU\Software\Microsoft\Windows\CurrentVersion]
   "adv470" = "adv470"
4. Terminate the following processes and delete the following files:
   "%Windir%\uniq"
   "%Windir%\kl.exe"
   "%Windir%\tool2.exe"
   "%Windir%\country.exe"
   "%Windir%\secure32.html"
   "%System%\paytime.exe"
   "%Windir%\hosts"
   "%Windir%\countrydial.exe"
   "%Windir%\tool1.exe"
   "%Windir%\tool3.exe"
   "%Windir%\tool4.exe"
   "%Windir%\tool5.exe"
   "%Windir%\ms1.exe"
5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).