Virus:TR/Drop.Small.ue.11
Date discovered:15/09/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:14.336 Bytes
MD5 checksum:645063cc02e5ebf5dd50f34483c81f74
VDF version:6.31.1.58

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  TrendMicro: TROJ_SMALL.ANG
   •  F-Secure: W32/Dropper.ADV
   •  VirusBuster: Trojan.DR.Small.ZQ1
   •  Bitdefender: Dropped:Trojan.Downloader.2591.E


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files

 Files It deletes the initially executed copy of itself.



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\tmp%two-digit random character string%.tmp

%TEMPDIR%\tmp%two-digit random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download a file:

– The locations are the following:
   • http://www.**********.us/backgr.jppg
   • http://www.**********.us/backgr1.jppg
   • http://www.**********.us/backgr2.jppg
   • http://www.**********.us/backgr3.jppg
   • http://**********.net/backgr.jppg
   • http://**********.net/backgr1.jppg
   • http://**********.net/backgr2.jppg
   • http://**********.net/backgr3.jppg
   • http://**********.hbhosting.com/backgr.jppg
   • http://**********.hbhosting.com/backgr1.jppg
   • http://**********.hbhosting.com/backgr2.jppg
   • http://**********.hbhosting.com/backgr3.jppg
At the time of writing this file was not online for further investigation.

 Backdoor Contact server:
The following:
   • **********.171.45\count.php

This is done via the HTTP GET request on a PHP script.

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • www.yahoo.com

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Catalin Jora on Thursday, September 15, 2005
Description updated by Catalin Jora on Wednesday, September 21, 2005

Back . . . .