Trojan-Dropper.Win32.Small.dl

Technical Details

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 24 576 bytes in size. It is written in C++.

Installation

When launched, the Trojan copies its executable file to the Windows system directory under the original file name.

In order to ensure that the Trojan is launched automatically each time the system is booted, it registers its executable file in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"wins" = "%System%\<original name of Trojan file> "

Payload

Every 55 minutes, the Trojan uses Internet Explorer to open one of the following links:

http://bbsdown.cn/aabb.html
http://552779.cn/aabb.html

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the copy of the Trojan from the Windows system directory:
4. Delete the following system registry key: (see What is a system registry and how do I use it for details on how to edit the registry).

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "wins" = "%System%\<original name of Trojan file> "

5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Summary

• Trojan-Dropper. Hidden installation of other malicious programs in the system

• Implements network activity

Technical details

File size of 70656 bytes.

Installation

Creates the following files on an infected computer:

• Windows system directory (usually, C:\Windows\System32) %System%\surte.exe

Malicious activity

Creates the following files:

• Windows directory (usually, C:\Windows)%Windir%\svchost.exe (­Kaspersky Anti-Virus detects as­ Trojan-Clicker.Win32.Small.bh)
• Windows system directory (usually, C:\Windows\System32) %System%\svchosts.exe (­Kaspersky Anti-Virus detects as­ Trojan-Proxy.Win32.Daemonize.a)
• Windows system directory (usually, C:\Windows\System32) %System%\svchostc.exe (­Kaspersky Anti-Virus detects as­ Trojan-Proxy.Win32.Daemonize.e)

Ensures subsequent Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "Online Service" = " Windows directory (usually, C:\Windows)%Windir%\svchost.exe"

Launches files shown below for execution:

• Windows directory (usually, C:\Windows)%Windir%\svchost.exe
• Windows system directory (usually, C:\Windows\System32) %System%\svchosts.exe
• Windows system directory (usually, C:\Windows\System32) %System%\svchostc.exe

Checks for Internet access on the infected machine

Communicates with the following Internet addresses:

• http://***endzz.netfirms.com/1.exe
• http://***ns4free.nm.ru/2.exe
• http://***ideal.nm.ru/3.exe
• http://www.***ginstoday.com/dirz1/command.php?IP=10.14.1.2&Port1=1200&Port2=1202&ID=001800062010001600550053

Other activities

Searches for the following windows:

Class:	O322
Title	1689

Modifies the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Mserv ] "IDwin" = "001800062010001600550053"