Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Small.es
Trojan-Dropper.Win32.Small.es
| Detected | Feb 27 2004 12:59 GMT |
| Released | Feb 27 2004 12:59 GMT |
| Published | Nov 09 2007 10:20 GMT |
Payload
Removal instructions
Technical Details
This Trojan is designed to install and launch other malicious programs on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 10240 bytes in size. It is packed using UPX. The unpacked file is approximately 42KB in size. It is written in C++.
Payload
When launching, the Trojan searches for and terminates all processes called "svchost.exe". The Trojan then extracts a number of files from its body and saves them under the following names:
This file is 14336 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Tofger.w.
This file is 7680 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-PSW.Win32.Small.j.
This file is 3072 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Tofger.j.
The Trojan then writes the following string:
to the file shown below:
In order to ensure that the Trojan is launched automatically each time the system is booted, it adds a link to %WinDir%\svchost.exe" to the system registry:
"%WinDir%\svchost.exe" will then be launched for execution and the Trojan will cease running.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
%WinDir%\svchost.exe %System%\wmini.exe %WinDir%\msin32.dll
- Delete the following system registry key parameter:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Online Service" = "%WinDir%\svchost.exe"
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- TrojanDropper.
Win32. Small. es (Kaspersky Lab) - Trojan:
MultiDropper-GP. a (McAfee) - Troj/Tofger-C (Sophos)
- Trojan.
Dropper. Small-44 (ClamAV) - Heuristic.
WinPE-Statistical (Panda) - W32/Threat-HLLSNP-based!Maximus (FPROT)
- PWS:
Win32/Small (MS(OneCare)) - Trojan.
MulDrop. 19468 (DrWeb) - Win32/TrojanDropper.
Agent. OVX trojan (Nod32) - Generic.
PWStealer. DE6B99C1 (BitDef7) - Trojan.
DR. Small!sCBWCfuAsOE (VirusBuster) - Win32:
Small-MFK [Trj] (AVAST) - Trojan-Clicker.
Win32. Exploider (Ikarus) - Infostealer.
Tarno. B (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- MultiDropper-GP.
a (NAI) - TSPY_TOFGER.
GEN (PCCIL) - TSPY_TOFGER.
GEN (TrendMicro) - Trojan.
DR. Small!sCBWCfuAsOE (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.