Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.Small.DG.8
Date discovered:12/01/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:61.359 Bytes
MD5 checksum:d06b6957ad63de3b509fa3f36a36c571
VDF version:6.32.00.237

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Small.dg
   •  Bitdefender: Dropped:Trojan.KeyLogger.308


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information

 Files  It deletes the following file:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\tmp.tmp



The following files are created:

%TEMPDIR%\$_2341234.TMP
%TEMPDIR%\$_2341233.TMP This is a non malicious text file with the following content:
   • %stolen information%

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Small.DG.5

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Small.DG

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Proxy.A.2




It tries to download a file:

– The location is the following:
   • http://garlem555.com/**********?id=%random character string%&sv=%several random digits%&build=%several random digits%&ts=%several random digits%&ip=%current ip address%&sport=%opened port%&hport=%opened port%
It is saved on the local hard drive under: %TEMPDIR%\$_2341233.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry – [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Shell"="\"%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe\""



The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="explorer.exe%empty spaces%\"%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe\""

 Backdoor The following ports are opened:

– explorer.exe on a random TCP port in order to provide a proxy server.
– explorer.exe on a random TCP port in order to provide a proxy server.


Contact server:
The following:
   • http://garlem555.com/**********

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Cached passwords
    • Collected Email addresses
    • Created logfiles
    • IP address
    • Current malware status
    • Opened port
    • Collected information described in stealing section
    • Information about the Windows operating system

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– A logging routine is started after a website is visited:
   • %any website%

– It captures:
    • Keystrokes
    • Window information
    • Internet traffic
    • Login information

 Injection –  It injects the following file into a process: ibm00001.dll

    Process name:
   • explorer.exe



–  It injects the following file into a process: ibm00002.dll

    Process name:
   • %all running processes%


 Miscellaneous Mutex:
It creates the following Mutex:
   • MSARCH_MUTEX_NAME

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files


Method used:
    • Hidden from Windows API

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • nspack

Description inserted by Iulia Diaconescu on Friday, January 13, 2006
Description updated by Iulia Diaconescu on Monday, March 13, 2006

Back . . . .