English

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Read us on

Home→Descriptions→Trojan-Downloader.Win32.Small.cg

Trojan-Downloader.Win32.Small.cg

Detected	Mar 14 2004 03:54 GMT
Released	Mar 14 2004 03:54 GMT
Published	Aug 03 2005 10:18 GMT

Manual description Auto description

This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details

This Trojan program downloads files from the Internet without the knowledge of consent of the user. The Trojan itself is a Windows PE EXE file 5632 bytes in size, not packed in any way.

It will download another Trojan from http://217.73.xx.1/ and launch it on the victim machine.

When downloading, it displays the following message:

Summary

Trojan-Dropper. Hidden installation of other malicious programs in the system

Implements network activity

Technical details

File size of 9216 bytes.

Installation

Creates the following files on an infected computer:

Windows system directory (usually, C:\Windows\System32) %System%\MSFXDB32.SRG
Windows system directory (usually, C:\Windows\System32) %System%\<html>
Windows system directory (usually, C:\Windows\System32) %System%\<script type=\"text/javascript\" src=\"/js/general.js\"></script>
Windows system directory (usually, C:\Windows\System32) %System%\<script type=\"text/javascript\">
Windows system directory (usually, C:\Windows\System32) %System%\<frameset rows=\"100%,*\" frameborder=\"no\" border=\"0\" framespacing=\"0\">
Windows system directory (usually, C:\Windows\System32) %System%\<body bgcolor=\"#ffffff\" text=\"#000000\">
Windows system directory (usually, C:\Windows\System32) %System%\</html>\r

Malicious activity

Creates the following files:

Windows system directory (usually, C:\Windows\System32) %System%\<head>
Windows system directory (usually, C:\Windows\System32) %System%\<title>beneditutti.com</title>
Windows system directory (usually, C:\Windows\System32) %System%\ChkRequestEnc('YToyMTp7aTowO3M6MTk6IjIwMTAtMDctMDggMTk6Mzk6NTIiO2k6MTtzOjY6IjkyNTA5MSI7aToyO047aTozO3M6OTg6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjAuMDQ1MDYuMzApIjtpOjQ7czoxNDY6Ii9uZXczLnBocD91c2VyS2V5PXVtZGtwemRtcHV1aXlqZ3prbWRqeXhwc2Z0eWFqa2R6cnRvaGdqbWNlc2pzaWdpYnRyeWV5Y3RuamRibmxoZXJyZWRoZ2xydm5oeXRyeG1qeGdhcnhwcG9oYWFpa3NzdGJ3dW9ybHdicXBiZHJpemJic3JpeWxscGRqeWV2eXp6IjtpOjU7czoxNDoiMjE3LjIzLjEzMi4yMjciO2k6NjtzOjE6IjIiO2k6Nztz
Windows system directory (usually, C:\Windows\System32) %System%\OjA6IiI7aTo4O3M6MDoiIjtpOjk7czoyOiJSVSI7aToxMDtzOjE6Ii0iO2k6MTE7czoxOiItIjtpOjEyO3M6NjoiMjI0NTEyIjtpOjEzO3M6MTU6ImJlbmVkaXR1dHRpLmNvbSI7aToxNDtzOjc1OiJodHRwOi8vc2VhcmNocG9ydGFsLmluZm9ybWF0aW9uLmNvbS8/b19pZD0xMTQwMjEmZG9tYWlubmFtZT1iZW5lZGl0dXR0aS5jb20iO2k6MTU7TjtpOjE2O047aToxNztOO2k6MTg7TjtpOjE5O047aToyMDtOO30=');
Windows system directory (usually, C:\Windows\System32) %System%\</script>
Windows system directory (usually, C:\Windows\System32) %System%\</head>
Windows system directory (usually, C:\Windows\System32) %System%\
Windows system directory (usually, C:\Windows\System32) %System%\<noframes>
Windows system directory (usually, C:\Windows\System32) %System%\</body>
Windows system directory (usually, C:\Windows\System32) %System%\</noframes>
Windows system directory (usually, C:\Windows\System32) %System%\</frameset>

Ensures subsequent Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "<h" = " Windows system directory (usually, C:\Windows\System32) %System%\<head>"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "<title>beneditutti.com</ti" = " Windows system directory (usually, C:\Windows\System32) %System%\<title>beneditutti.com</title>"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "ChkRequestEnc('YToyMTp7aTowO3M6MTk6IjIwMTAtMDctMDggMTk6Mzk6NTIiO2k6MTtzOjY6IjkyNTA5MSI7aToyO047aTozO3M6OTg6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjAuMDQ1MDYuMzApIjtpOjQ7czoxNDY6Ii9uZXczLnBocD91c2VyS2V5PXVtZGtwemRtcHV1aXlqZ3prbWRqeXhwc2Z0eWFqa2R6cnRvaGdqbWNlc2pzaWdpYnRyeWV5Y3RuamRibmxoZXJyZWRoZ2xydm5oeXRyeG1qeGdhcnhwcG9oYWFpa3NzdGJ3dW9ybHdicXBiZHJpemJic3JpeWxscGRqeWV2eXp6IjtpOjU7czoxNDoiMjE3LjIzLjEzMi4yMjciO2k6NjtzOjE6IjIiO2k6" = " Windows system directory (usually, C:\Windows\System32) %System%\ChkRequestEnc('YToyMTp7aTowO3M6MTk6IjIwMTAtMDctMDggMTk6Mzk6NTIiO2k6MTtzOjY6IjkyNTA5MSI7aToyO047aTozO3M6OTg6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjAuMDQ1MDYuMzApIjtpOjQ7czoxNDY6Ii9uZXczLnBocD91c2VyS2V5PXVtZGtwemRtcHV1aXlqZ3prbWRqeXhwc2Z0eWFqa2R6cnRvaGdqbWNlc2pzaWdpYnRyeWV5Y3RuamRibmxoZXJyZWRoZ2xydm5oeXRyeG1qeGdhcnhwcG9oYWFpa3NzdGJ3dW9ybHdicXBiZHJpemJic3JpeWxscGRqeWV2eXp6IjtpOjU7czoxNDoiMjE3LjIzLjEzMi4yMjciO2k6NjtzOjE6IjIiO2k6Nztz"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "OjA6IiI7aTo4O3M6MDoiIjtpOjk7czoyOiJSVSI7aToxMDtzOjE6Ii0iO2k6MTE7czoxOiItIjtpOjEyO3M6NjoiMjI0NTEyIjtpOjEzO3M6MTU6ImJlbmVkaXR1dHRpLmNvbSI7aToxNDtzOjc1OiJodHRwOi8vc2VhcmNocG9ydGFsLmluZm9ybWF0aW9uLmNvbS8/b19pZD0xMTQwMjEmZG9tYWlubmFtZT1iZW5lZGl0dXR0aS5jb20iO2k6MTU7TjtpOjE2O047aToxNztOO2k6MTg7TjtpOjE5O047aToyMDtOO30" = " Windows system directory (usually, C:\Windows\System32) %System%\OjA6IiI7aTo4O3M6MDoiIjtpOjk7czoyOiJSVSI7aToxMDtzOjE6Ii0iO2k6MTE7czoxOiItIjtpOjEyO3M6NjoiMjI0NTEyIjtpOjEzO3M6MTU6ImJlbmVkaXR1dHRpLmNvbSI7aToxNDtzOjc1OiJodHRwOi8vc2VhcmNocG9ydGFsLmluZm9ybWF0aW9uLmNvbS8/b19pZD0xMTQwMjEmZG9tYWlubmFtZT1iZW5lZGl0dXR0aS5jb20iO2k6MTU7TjtpOjE2O047aToxNztOO2k6MTg7TjtpOjE5O047aToyMDtOO30=');"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "</scr" = " Windows system directory (usually, C:\Windows\System32) %System%\</script>"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "</h" = " Windows system directory (usually, C:\Windows\System32) %System%\</head>"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] ""

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "<nofra" = " Windows system directory (usually, C:\Windows\System32) %System%\<noframes>"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "</b" = " Windows system directory (usually, C:\Windows\System32) %System%\</body>"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "</nofra" = " Windows system directory (usually, C:\Windows\System32) %System%\</noframes>"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "</frame" = " Windows system directory (usually, C:\Windows\System32) %System%\</frameset>"

Connects to to the following Internet addresses:

***.43.160.209:20480

Communicates with the following Internet addresses:

http://***editutti.com/new3.php?userKey=umdkpzdmpuuiyjgzkmdjyxpsftyajkdzrtohgjmcesjsigibtryeyctnjdbnlherredhglrvnhytrxmjxgarxppohaaiksstbwuorlwbqpbdrizbbsriyllpdjyevyzz
http://***editutti.com/<html>
http://***editutti.com/
http://***editutti.com/<head>
http://***editutti.com/<title>beneditutti.com</title>
http://***editutti.com/<script type=\"text/javascript\" src=\"/js/general.js\"></script>
http://***editutti.com/<script type=\"text/javascript\">
http://***editutti.com/ChkRequestEnc('YToyMTp7aTowO3M6MTk6IjIwMTAtMDctMDggMTk6Mzk6NTIiO2k6MTtzOjY6IjkyNTA5MSI7aToyO047aTozO3M6OTg6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjAuMDQ1MDYuMzApIjtpOjQ7czoxNDY6Ii9uZXczLnBocD91c2VyS2V5PXVtZGtwemRtcHV1aXlqZ3prbWRqeXhwc2Z0eWFqa2R6cnRvaGdqbWNlc2pzaWdpYnRyeWV5Y3RuamRibmxoZXJyZWRoZ2xydm5oeXRyeG1qeGdhcnhwcG9oYWFpa3NzdGJ3dW9ybHdicXBiZHJpemJic3JpeWxscGRqeWV2eXp6IjtpOjU7czoxNDoiMjE3LjIzLjEzMi4yMjciO2k6NjtzOjE6IjIiO2k6Nztz
http://***editutti.com/OjA6IiI7aTo4O3M6MDoiIjtpOjk7czoyOiJSVSI7aToxMDtzOjE6Ii0iO2k6MTE7czoxOiItIjtpOjEyO3M6NjoiMjI0NTEyIjtpOjEzO3M6MTU6ImJlbmVkaXR1dHRpLmNvbSI7aToxNDtzOjc1OiJodHRwOi8vc2VhcmNocG9ydGFsLmluZm9ybWF0aW9uLmNvbS8/b19pZD0xMTQwMjEmZG9tYWlubmFtZT1iZW5lZGl0dXR0aS5jb20iO2k6MTU7TjtpOjE2O047aToxNztOO2k6MTg7TjtpOjE5O047aToyMDtOO30=');
http://***editutti.com/</script>
http://***editutti.com/</head>
http://***editutti.com/<frameset rows=\"100%,*\" frameborder=\"no\" border=\"0\" framespacing=\"0\">
http://***editutti.com/
http://***editutti.com/ <frame src=\"http://searchportal.information.com/?o_id=114021&domainname=beneditutti.com\">
http://***editutti.com/<noframes>
http://***editutti.com/<body bgcolor=\"#ffffff\" text=\"#000000\">
http://***editutti.com/ <a href=\"http://searchportal.information.com/?o_id=114021&domainname=beneditutti.com\">Click here to enter</a>.
http://***editutti.com/</body>
http://***editutti.com/</noframes>
http://***editutti.com/</frameset>
http://***editutti.com/</html>\r

Other activities

Modifies the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "(default)" = " Windows system directory (usually, C:\Windows\System32) %System%\"

Description:
Used to automatically run files when the Windows OS boots

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "(default)" = " Windows system directory (usually, C:\Windows\System32) %System%\"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "<script type=\"text/javascri" = " Windows system directory (usually, C:\Windows\System32) %System%\<script type="text/javascript">"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "<script type=\"text/javascri" = " Windows system directory (usually, C:\Windows\System32) %System%\<script type="text/javascript">"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "<frame src=\"http://searchportal.information.com/?o_id=114021&domainname=beneditutti.c" = " Windows system directory (usually, C:\Windows\System32) %System%\ <frame src="http://searchportal.information.com/?o_id=114021&domainname=beneditutti.com">"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "<frame src=\"http://searchportal.information.com/?o_id=114021&domainname=beneditutti.c" = " Windows system directory (usually, C:\Windows\System32) %System%\ <frame src="http://searchportal.information.com/?o_id=114021&domainname=beneditutti.com">"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "<body bgcolor=\"#ffffff\" text=\"#0000" = " Windows system directory (usually, C:\Windows\System32) %System%\<body bgcolor="#ffffff" text="#000000">"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "<body bgcolor=\"#ffffff\" text=\"#0000" = " Windows system directory (usually, C:\Windows\System32) %System%\<body bgcolor="#ffffff" text="#000000">"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "<a href=\"http://searchportal.information.com/?o_id=114021&domainname=beneditutti.com\">Click here to enter<" = " Windows system directory (usually, C:\Windows\System32) %System%\ <a href="http://searchportal.information.com/?o_id=114021&domainname=beneditutti.com">Click here to enter</a>."

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "<a href=\"http://searchportal.information.com/?o_id=114021&domainname=beneditutti.com\">Click here to enter<" = " Windows system directory (usually, C:\Windows\System32) %System%\ <a href="http://searchportal.information.com/?o_id=114021&domainname=beneditutti.com">Click here to enter</a>."

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "</ht" = " Windows system directory (usually, C:\Windows\System32) %System%\</html>"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "</ht" = " Windows system directory (usually, C:\Windows\System32) %System%\</html>"

Deletes the following files on an infected computer:

Windows system directory (usually, C:\Windows\System32) %System%\MSFXDB32.SRG

Malicious programs

Trojans

Trojan-Downloader

Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.

Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).

This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.

Other versions

Trojan-Downloader.Win32.Small.abn

Trojan-Downloader.Win32.Small.aex

Trojan-Downloader.Win32.Small.anh

Trojan-Downloader.Win32.Small.aoa

Trojan-Downloader.Win32.Small.apc

Trojan-Downloader.Win32.Small.arf

Trojan-Downloader.Win32.Small.asa

Trojan-Downloader.Win32.Small.axk

Trojan-Downloader.Win32.Small.axp

Trojan-Downloader.Win32.Small.bab