The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Feb 05 2009 13:19 GMT
Released Feb 05 2009 18:23 GMT
Published Sep 29 2010 10:27 GMT

Technical Details
Removal instructions

Technical Details

This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 5308 bytes in size. It is packed using PE_Patch or UPack. The unpacked file is approximately 66 KB in size. It is written in C++.


After launching, the Trojan extracts a file from its body and saves it in the system under the following name:

%WinDir%\Downloaded Program Files\spoolv.exe
(3740 bytes; detected by Kaspersky Anti-Virus as "Exploit.Win32.IMG-WMF.fk")

The extracted exploit file can download a file from the Internet through a link sent as a parameter. To do so, the exploit uses the vulnerability "MS08-067"

The extracted file is then launched for execution with the following parameter:

At the time of writing, an HTML page of 1142 bytes in size was downloaded from this link.

The Trojan then ceases running.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following file:
    %WinDir%\Downloaded Program Files\spoolv.exe 
  3. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 83CB7770DB348AD1BE1F76ED77602DDB
SHA1: EE460175D8EF5B8B5079DAC9D7186126095B4851

Bookmark and Share

Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.

This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).

Such programs are used by hackers to:

  • secretly install Trojan programs and/or viruses
  • protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.

Other versions


Trojan-Dropper.Win32.Small.gfa (Kaspersky Lab) is also known as:

  • Trojan-GameThief.Win32.OnLineGames.upwe (Kaspersky Lab)
  • Trojan: Generic.dx (McAfee)
  • Mal/Behav-204 (Sophos)
  • Trj/Lineage.BZE (Panda)
  • W32/Heuristic-210!Eldorado (FPROT)
  • PWS:Win32/Prast!rts (MS(OneCare))
  • Trojan.Siggen.564 (DrWeb)
  • Win32/TrojanDropper.Small.NIY trojan (Nod32)
  • Trojan.Generic.1427218 (BitDef7)
  • Packed/Upack (VirusBuster)
  • Worm.Win32.Downloader (Ikarus)
  • PSW.OnlineGames.BOZL (AVG)
  • TR/Crypt.XDR.Gen (AVIRA)
  • Downloader (NAV)
  • W32/Packed_Upack.A (Norman)
  • Trojan.Win32.Generic.51E9236A (Rising)
  • Trojan-GameThief.Win32.OnLineGames.upwe [AVP] (FSecure)
  • Cryp_Xed-12 (TrendMicro)
  • Packed/Upack (VirusBusterBeta)