Trojan-Downloader.Win32.Small.on

From Total Malware Info

Jump to: navigation, search

Trojan program which downloads from Internet another programs without user approval. Program is Windows application (PE EXE-file). Has size 4096 bytes. Packed with UPX. Unpacked size – about 5.5 KB. It is written on assembler.

Destructive activity

After start Trojan creates window with title "Please wait..." based on window class with name "XYZ":

In this window it is displayed status of downloading file from Internet and installing in system.

Downloaded file can be Windows executable (PE-EXE file) or dynamically loaded library (PE-DLL file). (It is defined by Trojan constructor.)

If requested file is executable separate thread is created that is opening URL, that is by default:

http://127.0.0.1:8081/exit

then executable file is downloading from [as in the sample I reversed]:

http://***.***.66.1/del/cmb_220606.exe (168960 bytes, detected by KAV as not-a-virus:Porn-Dialer.Win32.PluginAccess.s)

In case of DLL just file is downloaded [as in the sample I reversed]:

http://***.***.66.1/del/220606 (4096 bytes, detected by KAV as Trojan-Downloader.Win32.Small.on)

If the file is executable [as in the sample I reversed] it is saved in system Windows folder with temporary name based on file mask [as in the sample I reversed] and then executed:

%Temp%\dia*.tmp

If file is dll, it is saved in system Windows folder with name [as in the sample I reversed]:

%Windir%\System32\220606

Then it loaded in to the memory and registered in the system (by calling export function "DllRegisterServer").

After that trojan is terminating his process.

Removal instructions

If your computer was not protected by anti-virus software and was infected by this malware program, to manually remove it please follow the instructions below:

Using Task Manager terminate the trojan process.
Delete the original trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
Using Task Manager terminate process with a following name:
```
dia*.tmp
```

Delete the following files:

%Temp%\dia*.tmp
%Windir%\System32\220606

Check your system for viruses using updated anti-virus definitions.

Retrieved from "http://www.totalmalwareinfo.com/eng/Trojan-Downloader.Win32.Small.on"

Category: Trojan-Downloader.Win32

Language

Русский

Search

© 2010 "Design and Test Lab", LLC. All rights reserved.