Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Small.bc
Trojan-Dropper.Win32.Small.bc
| Detected | Aug 11 2003 17:35 GMT |
| Released | Aug 11 2003 17:35 GMT |
| Published | Mar 24 2006 09:39 GMT |
Payload
Removal instructions
Technical Details
This Trojan program installs other Trojan programs to the victim machine without the user's knowledge or consent. The main Trojan file is a Windows PE EXE file 24064 bytes in size, packed using UPX. The unpacked file is approximately 60KB in size.
Payload
Once launched, the Trojan copies itself to the Windows system registry as nstask32.exe:
%System%\nstask32.exe
It then registers this file in the system registry, ensuring that the Trojan will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]
"NDplDeamon"="nstask32.exe"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell="Explorer.exe nstask32.exe"
When launching, the Trojan also drops a file called winsockdrv.dll to the Windows system directory:
%System%\win32sockdrv.dll
This file will be detected by Kaspersky Anti-Virus as Backdoor.Win32.SdBot.at.
The file will then be launched for execution:
The Trojan also creates the following file:
%System%\dllcache\tftp.exe
The original executable file will then be deleted.
Removal instructions
- Delete the files listed below:
%System%\nstask32.exe %System%\win32sockdrv.dll %System%\dllcache\tftp.exe
- Delete the following values from the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]
"NDplDeamon"="nstask32.exe"[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell="Explorer.exe nstask32.exe" - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- TrojanDropper.
Win32. Small. bc (Kaspersky Lab) - Trj/Small.
BC (Panda) - Win32.
HLLW. LoveSan. based (DrWeb)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.