Internet threat level: 1
Home→Descriptions→Trojan-Downloader.Win32.Small.ddp
Trojan-Downloader.Win32.Small.ddp
| Detected | Apr 03 2007 12:57 GMT |
| Released | Apr 17 2007 04:15 GMT |
| Published | Apr 03 2007 12:57 GMT |
Payload
Removal instructions
Technical Details
This Trojan downloads other malicious programs. It is a Windows PE EXE file. It is written in Microsoft Visual C++. It is not packed in any way. The size of infected files may vary from 20KB to 27KB.Payload
Once launched, the Trojan extracts a file from itself, and saves it to the C:\Windows directory as "inetloader.dll".
This file will then be registered in the system using regsrv32.exe. It will download the following file from the Internet: http://soft.*****incash.com/loader/run.xml. This file contains links to other files, and the paths used to save them. The Trojan then downloads files from the links given.
At the moment of writing, the “run.xml” file contained links to the following files:
- http://soft.*****incash.com/contextual/ticads.exe — this file will be detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Small.ddp;
- http://soft.*****incash.com/popups/tpopup.exe — this file will be detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.Trustin.a;
- http://soft.*****incash.com/se/tse.exe — this file will be detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Small.ddp;
- http://soft.*****incash.com/tcleaner/tctool.exe — this file will be detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.WarSpy.d;
- http://soft.*****incash.com/toolbar/trustinbar.exe — this file will be detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.Azesearch.h;
- http://soft.*****incash.com/url/url.exe — this file will be detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Small.ddp.
The downloaded files are saved to the Windows root directory:
%windir%\ticads.exe %windir%\tpopup.exe %windir%\tse.exe %windir%\tctool.exe %windir%\trusnibar.exe %windir%\url.exe
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following file:
C:\Windows\inetloader.dll
- Delete the following files:
%windir%\ticads.exe %windir%\tpopup.exe %windir%\tse.exe %windir%\tctool.exe %windir%\trusnibar.exe %windir%\url.exe
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.
Trojan-Downloader.
- Trojan.
Win32. Agent. wg (Kaspersky Lab) - Trojan:
AZESearch (McAfee) - Troj/DropRun-D (Sophos)
- Trojan.
Dropper. Small-177 (ClamAV) - Adware/TrustIn (Panda)
- W32/Downloader.
AFGO (FPROT) - TrojanDownloader:
Win32/Small (MS(OneCare)) - Adware.
TrustIn (DrWeb) - Win32/TrojanDownloader.
Small. DDP trojan (Nod32) - Trojan.
Downloader. Small. BFI (BitDef7) - Trojan.
DL. Small. CQN (VirusBuster) - Win32:
Small-BJR [Trj] (AVAST) - Trojan-Downloader.
Win32. Small (Ikarus) - Downloader.
Generic2. EBC (AVG) - TR/Dldr.
Small. ddp. 28 (AVIRA) - Adware.
TrustInBar (NAV) - W32/DLoader.
AEPU (Norman) - AZESearch (NAI)
- Trojan.
DL. Small. pum (Rising) - Trojan-Downloader.
Win32. Small. ddp [AVP] (FSecure) - ADW_TRUSTINBAR (TrendMicro)
- Trojan.
DL. Small. CQN (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.