Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Dldr.Small.bws
Date discovered:10/01/2006
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:3.829 Bytes
MD5 checksum:3bfdf9916546db9a570302286d583af7

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Download.Trojan
   •  Kaspersky: Trojan-Downloader.Win32.Small.bws
   •  TrendMicro: TROJ_SMALL.AWD
   •  Bitdefender: Trojan.Downloader.BeHappy.B


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files

 Files It tries to download some files:

The location is the following:
   • http://tool**********.biz/progs/kl.txt
It is saved on the local hard drive under: %WINDIR%\kl.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Small.DG.8


The location is the following:
   • http://tool**********.biz/progs/tool2.txt
It is saved on the local hard drive under: %WINDIR%\tool2.exe Furthermore this file gets executed after it was fully downloaded. Detected as: TR/Killav.DB.2


The location is the following:
   • http://tool**********.biz/progs/toolbar.txt
It is saved on the local hard drive under: %WINDIR%\toolbar.exe Furthermore this file gets executed after it was fully downloaded. Detected as: TR/Dldr.Adload.J.14


The location is the following:
   • http://tool**********.biz/progs/tool1.txt
It is saved on the local hard drive under: %WINDIR%\tool2.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Killav.DB.2


The location is the following:
   • http://tool**********.biz/progs/tool3.txt
It is saved on the local hard drive under: %WINDIR%\tool3.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Killav.DB.2


The location is the following:
   • http://tool**********.biz/progs/tool4.txt
It is saved on the local hard drive under: %WINDIR%\tool4.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Killav.DB.2


The location is the following:
   • http://tool**********.biz/progs/tool5.txt
It is saved on the local hard drive under: %WINDIR%\tool5.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Killav.DB.2


The location is the following:
   • http://tool**********.biz/progs/secure32.php
It is saved on the local hard drive under: %WINDIR%\secure32.html Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Sma.bfy.5.B


The location is the following:
   • http://tool**********.biz/progs/paytime.txt
It is saved on the local hard drive under: %SYSDIR%\paytime.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/StartPage.adi.5


The location is the following:
   • http://tool**********.biz/progs/ms1.txt
It is saved on the local hard drive under: %WINDIR%\ms1.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Smal.xk.3.A


The location is the following:
   • http://tool**********.biz/progs/hosts.txt
It is saved on the local hard drive under: %WINDIR%\hosts Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

The location is the following:
   • http://tool**********.biz/dl/dluniq.php?adv=adv661&code1=%random character string% &code2=%several random digits%
It is saved on the local hard drive under: %WINDIR%\uniq Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry The following registry key is added:

[HKCU\Software\Microsoft\Windows\CurrentVersion]
   • "adv661"="adv661"

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Iulia Diaconescu on Tuesday, January 10, 2006
Description updated by Iulia Diaconescu on Monday, January 16, 2006

Back . . . .