Virus:DR/Dldr.Small.ctp
Date discovered:01/05/2006
Type:Dropper
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:48.190 Bytes
MD5 checksum:66b008d918e68e174d96a35f6a6baa7e
VDF version:6.34.01.26

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Bitdefender: Trojan.Downloader.Small.CTP


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It renames the following files:

    •  VSL.dl_ into hosecu.dll
    •  auxe.exe into hosecu.dll.exe



The following files are created:

– Temporary files that might be deleted afterwards:
   • %PROGRAM FILES%\folder.js
   • %TEMPDIR%\ns%two-digit random character string%.tmp\System.dll
   • %PROGRAM FILES%\ini.ini

%PROGRAM FILES%\ComPlus Applications\VSL.dl_ Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Small.ctp

%PROGRAM FILES%\ComPlus Applications\auxe.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://apps.deskwizz.com/GetAd/**********
It is saved on the local hard drive under: %PROGRAM FILES%\ComPlus Applications\hosecu This file may contain further download locations and might serve as source for new threats.

 Registry It registers a browser helper object (BHO) by adding the following keys:

– HKCR\CLSID\{%several random digits%}
   • @=""

– HKCR\CLSID\{%several random digits%}\InProcServer32
   • @="%PROGRAM FILES%\ComPlus Applications\hosecu.dll"
   • "ThreadingModel"="Apartment"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{%several random digits%}
   • @=""

 Backdoor Contact server:
One of the following:
   • http://apps.deskwizz.com/GetAd/**********
   • http://apps.deskwizz.com/GetAd/**********
   • http://apps.deskwizz.com/GetAd/**********



Remote control capabilities:
    • Visit a website

Description inserted by Ionut Slaveanu on Wednesday, May 10, 2006
Description updated by Ionut Slaveanu on Friday, May 26, 2006

Back . . . .