Classification

Category :

Malware

Type :

-

Aliases :

Small.wy, Trojan-Dropper.Win32.Small.wy, Trojan.Win32.Agent.ct, Small.wy, Trojan.Win32.Qhost.br, Trojan-Downloader.Win32.Agent.le, Trojan.Win32.LowZones.ba, Trojan.Win32.Fakespy.a, Trojan.Win32.Puper.a, Trojan-Dropper.Win32.Small.xa, Trojan-Downloader.Win32.Agent.lx, Trojan.Win32.Favadd.t, Trojan-Dropper.Win32.Small.xb, Trojan-Dropper.Win32.Small.xc, Trojan-Dropper.Win32.Small.xd

Summary

The 'Small.wy' trojan dropper first was reported to us from Denmark on April 13th, 2005. According to the report, it was originally downloaded from an X-Rated website. The trojan dropped a downloader that was designed to download additional trojans and adware to an affected a computer from 3 websites. Up to now we have several reports from customers infected with that trojan.

Removal

To get rid of the trojan itself and the files that are downloaded by the trojan, it is enough to delete them from an infected hard disk. The latest versions of F-Secure Anti-Virus can automatically disable (rename) the infected files. If automatic disinfection fails, please select 'Delete' disinfection action for all files described below, when they are detected. Instructions are here:

https://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec...

Please remember to restart a computer after disinfection.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The original file that was submitted to us is called 'codec.exe'. It is a Russian-made trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.wy'. The dropper drops another executable file with the 'msmsgs.exe' name into Windows System folder and runs it. It also creates a startup key for the dropped file:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"MSN Messenger" = "%WinSysDir%\msmsgs.exe"
 

The dropped file is a trojan downloader. It is now detected as 'Trojan-Downloader.Win32.Agent.lx'. When run, it creates a new startup key for itself:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"notepad.exe" = "msmsgs.exe"
 

Also it adds itself to the SHELL= variable in the following key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
 

The trojan downloader tries to inject its code into Windows Explorer and then connects to one of the following websites:

vnp7s.net
zxserv0.com
dumpserv.com
 

First the trojan downloader just connects and reads the response from the website. If the response is equal to '0b723718-9389-4ca8-86f4-632a4bbc88a4', the trojan connects to the site again and sends information by the specially constructed URL (supplies unique ID, country info and language of operating system). As a response, the trojan gets a list of files to download. Last time we checked it, the website contained the following list of files:

T54111925.so
H53131712.so
A54102200.so
S53252000.so
A04111925.so
M54111925.so
P54111925.so
 

After that the trojan downloader connects to the site again to download all listed files. The downloaded files are stored in the '\%WinSysDir%\LogFiles\' folder. The files are activated after they are downloaded. All the above mentioned servers contain the same functionality and files as far as we could see.

The 'A04111925.so' file is a trojan that adds many websites to the Trusted Internet Zone area. It is now detected as 'Trojan.Win32.LowZones.ba'. Here's an example list of the sites that are added (the actual list is much longer):

www.niger.ru
awmdabest.com
20x2p.com
love-catalog.net
 

Also the trojan adds certain ranges of IP addresses to the Trusted Internet Zone Ranges, here's an example:

69.50.191.*
69.50.189.*
69.50.187.*
69.50.182.*
 

The 'H53131712.so' file is a trojan that modifies HOSTS file. It is now detected as 'Trojan.Win32.Qhost.br'. This trojan modifies Windows HOSTS file so that connection to certain websites (probably competitors' websites) point to the 'localhost' and, as a result, is denied. Here's an example of such modification (the full list is much longer):

127.0.0.1

 e-finder.cc
127.0.0.1

 fast-look.com
127.0.0.1

 adulthell.com
127.0.0.1

 datingforlove.org
127.0.0.1

 meetyourfriend.biz
 

The 'A54102200.so' file is a trojan dropper. It is now detected as 'Trojan-Downloader.Win32.Agent.le'. It drops 2 files - a trojan and a trojan downloader. The trojan's file is named 'wp.exe' and it is dropped to the root of C: drive. This trojan is now detected as 'Trojan.Win32.Agent.ct'. The trojan extracts the 'wp.bmp' image file to the root folder and sets this file as a wallpaper. The image shows a fake error message that resembles a message that older Windows versions were showing in case of a critical error. The trojan also creates a startup key for itself in System Registry.

The trojan downloder is dropped as 'Security iGuard.exe' file and it is supposed to download some third-party software from the 'securityguard.com' website (adware makers). The downloader is already detected as 'Trojan-Downloader.Win32.Agent.le'.

The 'S53252000.so' file is trojan dropper. It is already detected as 'Trojan-Dropper.Win32.Small.xc'. It drops a file named 'ole32vbs.exe' into Windows System folder and runs it. It also drops a few ICO (icon) files to the same folder.

The 'ole32vbs.exe' file is a trojan that adds several URLs with the search sites to Internet Explorer Favourites. This file is already detected as 'Trojan.Win32.Favadd.t'.

The 'M54111925.so' file is another trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.xa'. It terminates Internet Explorer's process and then drops and runs a file named 'helper.exe' to Windows System folder. This file is an intrusive adware that is now detected as 'Trojan.Win32.Fakespy.a'. It creates a startup key for its file in the Registry and from time to time shows fake alerts. The URL from such alert messages point to a search engine:

http://msxpsupport.com/soft/search.php?said=dsm&qq;=   

where <value> can be one of the following (depends on the alert type):

http://msxpsupport.com/soft/search.php?said=dsm&qq;=
 

The website provides URLs to other websites that offer different products or software for download.

The 'T54111925.so' file is yet another trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.xd'. It creates a subfolder named 'Virtual Maid" under the 'Program Files' folder and drops 3 BMP images, one batch file, one XML and one DLL files there. The DLL file is an adware that is registered as a system component and acts as a toolbar for Internet Explorer. The batch file should uninstall this adware package from a system, however it did not work on our test system.

The 'P54111925.so' file is a trojan dropper. It is detected as 'Trojan-Dropper.Win32.Small.xb'. It drops 2 files to Windows folder and runs them:

http://msxpsupport.com/soft/search.php?said=dsm&qq;=
 

One file is dropped to Windows System folder and is run too:

http://msxpsupport.com/soft/search.php?said=dsm&qq;=
 

The 'intmonp.exe' process monitors the 'popuper.exe' process and restarts it in case it is killed. The 'popuper.exe' process, in its turn, monitors the 'intmonp.exe' process and restarts it if it is killed. Moreover, the Registry startup keys for the 'pupuper.exe' file and its executable file are re-created if they are deleted. So it is quite difficult to get rid of these files manually. Both files are now detected as 'Trojan.Win32.Puper.a'.

The 'popuper.exe' file is an intrusive adware that shows popups with URLs taken from the 'sites.ini' file. The 'sites.ini' file contains a list of URLs, for example:

http://msxpsupport.com/soft/search.php?said=dsm&qq;=
 

When this URL is accessed, a fake alert message is shown, for example:

http://msxpsupport.com/soft/search.php?said=dsm&qq;=
 

and then goes a list of sites where different software can be downloaded.

It should be noted that all trojan droppers delete their files after they drop their payload.

To sum it up, the whole package was created to install adware components to a system, to prevent a user from accessing competitors' websites, to provide fake information to a user and to trick him/her to download additional software from friendly websites. We have reported this case to the authorities.