Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.Small.DG.80
Date discovered:07/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:75.264 Bytes
MD5 checksum:7200f6a6dff45b8b4162088b4cb2fd38
VDF version:6.33.01.77

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Small.dg
   •  Bitdefender: Trojan.Spy.Small.DG


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files
   • Registry modification
   • Steals information

 Files  Non malicious files:
   • %TEMPDIR%\$_2341234.TMP
   • %TEMPDIR%\$_2341235.TMP

%TEMPDIR%\$_2341233.TMP This is a non malicious text file with the following content:
   • %stolen information%

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Small.DG.78

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Snap.A

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Agent.JO.1

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Shell"="%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="explorer.exe %empty spaces% %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

 Backdoor The following ports are opened:

explorer.exe on a random TCP port in order to provide a proxy server.
explorer.exe on a random TCP port in order to provide a Socks 5 proxy server.


Contact server:
All of the following:
   • umorili.com/gamma/**********
   • 81.177.14.6//gamma/**********

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
     Cached passwords
     Created logfiles
     IP address
     Opened port
     Collected information described in stealing section
     Information about the Windows operating system

 Stealing It tries to steal the following information:
 Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

Passwords from the following programs:
   • Outlook
   • Eudora
   • Thunderbird
   • The Bat
   • Flash FXP
   • Total commander
   • Far

A logging routine is started after a website is visited:
   • %any website that contains a login form%

 It captures:
     Window information
     Login information

 Injection –  It injects the following file into a process: %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll

    Process name:
   • explorer.exe



–  It injects the following file into a process: %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

    Process name:
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

Description inserted by Andrei Gherman on Monday, March 13, 2006
Description updated by Andrei Gherman on Monday, March 13, 2006

Back . . . .