Threat Descriptions

Trojan-Downloader:W32/Small.CZL

Classification

Category :

Malware

Type :

Trojan-Downloader

Platform :

W32

Aliases :

Trojan-Downloader:W32/Small.CZL, Trojan-Downloader:W32/Small.CZL

Summary

Trojan-Downloader:W32/Small.CZL steals passwords and downloads files from several websites and executes them.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan-Downloader:W32/Small.CZL is a trojan used to steal passwords from QQ Instant Messenger and also tries to download other components from the Internet. It may arrive on the system as a component of other malware or maybe downloaded from the Internet directly.Upon execution, it drops the following files:

  • %SysDir%\ctfnom.exe - Main executable file of the malware
  • %SysDir%\drivers\usbine.sys - Component file detected as Trojan-Downloader.Win32.Small.czl

This trojan checks for the installation of the Chinese Instant Messenger QQ in the system by searching for the following registry entry:

  • [HKLM\SOFTWARE\TENCENT\PLATFORM_TYPE_LIST\1] TyePath

Note: TyePath contains the path where the QQ.exe file is located, usually %ProgramFiles%\Tencent\QQ.If the QQ Instant Messenger is installed, it will search for the following file from the QQ installation path:

  • TIMPLATFORM.EXE

When this file is found, this trojan will rename the original TIMPLATFORM.EXE to TIMPLATFROM.EXE. After that, it will create a copy of itself with the name TIMPLATFORM.EXE.It creates the following autostart registry entry:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] twin = "%SysDir%\ctfnom.exe"

It also sets the value of the following registry entry as part of its installation routine:

  • [HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] load = 8

Trojan-Downloader:W32/Small.CZL also tries to delete the following file:

  • D:\autorun.inf.

It also deletes the following registry key:

  • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]

In order to steal passwords from QQ Instant Messenger, this trojan monitors the window used by QQ.exe and logs keystrokes.This trojan may also download other components from the Internet.

Detection

F-Secure Anti-Virus detects this malware with the following updates:

Detection Type: PC

Database: 2006-06-05_01