Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.Small.DG.8
Date discovered:12/01/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:61.359 Bytes
MD5 checksum:d06b6957ad63de3b509fa3f36a36c571
VDF version:6.32.00.237

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Small.dg
   •  Bitdefender: Dropped:Trojan.KeyLogger.308


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information

 Files  It deletes the following file:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\tmp.tmp



The following files are created:

%TEMPDIR%\$_2341234.TMP
%TEMPDIR%\$_2341233.TMP This is a non malicious text file with the following content:
   • %stolen information%

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Small.DG.5

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Small.DG

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Proxy.A.2




It tries to download a file:

The location is the following:
   • http://garlem555.com/**********?id=%random character string%&sv=%several random digits%&build=%several random digits%&ts=%several random digits%&ip=%current ip address%&sport=%opened port%&hport=%opened port%
It is saved on the local hard drive under: %TEMPDIR%\$_2341233.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Shell"="\"%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe\""



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="explorer.exe%empty spaces%\"%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe\""

 Backdoor The following ports are opened:

explorer.exe on a random TCP port in order to provide a proxy server.
explorer.exe on a random TCP port in order to provide a proxy server.


Contact server:
The following:
   • http://garlem555.com/**********

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
     Cached passwords
     Collected Email addresses
     Created logfiles
     IP address
     Current malware status
     Opened port
     Collected information described in stealing section
     Information about the Windows operating system

 Stealing It tries to steal the following information:
 Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

A logging routine is started after a website is visited:
   • %any website%

 It captures:
     Keystrokes
     Window information
     Internet traffic
     Login information

 Injection –  It injects the following file into a process: ibm00001.dll

    Process name:
   • explorer.exe



–  It injects the following file into a process: ibm00002.dll

    Process name:
   • %all running processes%


 Miscellaneous Mutex:
It creates the following Mutex:
   • MSARCH_MUTEX_NAME

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files


Method used:
     Hidden from Windows API

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • nspack

Description inserted by Iulia Diaconescu on Friday, January 13, 2006
Description updated by Iulia Diaconescu on Monday, March 13, 2006

Back . . . .