Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Small.ez
Trojan-Dropper.Win32.Small.ez
| Detected | Mar 20 2004 09:56 GMT |
| Released | Mar 20 2004 09:56 GMT |
| Published | Feb 02 2007 08:29 GMT |
Payload
Removal instructions
Technical Details
This Trojan is designed to install and launch other programs on the victim machine. It is a Windows PE EXE file. The file is 15,872 bytes in size. It is packed using UPX. The unpacked file is 48 640 bytes in size.
Payload
Once launched, the Trojan extracts the following files from itself and launches them for execution:
- %WinDir%\svchost.exe (This file is 19 968 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Tofger.x.)
- %WinDir%\svchost.exe (This file is 20,000 bytes in size. It will be detected by Kaspersky Anti-Virus as not-a-virus:Server-Proxy.Win32.Soppet.a)
The Trojan also extracts the following DLL file from its body:
- %WinDir%\svchost.exe (This file is 3,072 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Banker.l.)
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:
"Systems" = "%WinDir%\svchost.exe"
Removal instructions
- Use Task Manager to terminate the Trojan process:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the files created by the Trojan:
- %WinDir%\svchost.exe
- %System%\svchostc.exe
- %WinDir%\msrt32.dll
- %WinDir%\svchost.exe
- Delete the following system registry key parameter:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Systems" = "%WinDir%\svchost.exe" - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- TrojanDropper.
Win32. Small. ez (Kaspersky Lab) - Trojan:
MultiDropper-GP. a (McAfee) - Troj/Tofdr-Fam (Sophos)
- Trojan.
Dropper. Small-44 (ClamAV) - Trj/Tofger.
J (Panda) - TrojanDropper:
Win32/Small. EZ (MS(OneCare)) - Trojan.
Tofger (DrWeb) - Win32/TrojanDropper.
Small. EZ trojan (Nod32) - DeepScan:
Generic. PWStealer. 20565D3F (BitDef7) - Trojan-Clicker.
Win32. Exploider (Ikarus) - Dropper.
Small. 4. AD (AVG) - TR/Dropper.
Gen (AVIRA) - Dropper.
Win32. Undef. GEN [Suspicious] (Rising)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.