Virus:TR/PSW.Small.BS.2
Date discovered:12/09/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:12.592 Bytes
MD5 checksum:978ded8c7055e4c5e650600D2fcc0C3f
VDF version:6.35.01.216
IVDF version:6.35.01.220 - Wednesday, September 13, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Sophos: Troj/PWS-HP
   •  Bitdefender: Trojan.PSW.Small.B


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\9129837.exe



It deletes the initially executed copy of itself.



The following files are created:

%WINDIR%\hide_evr2.sys Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Small.BS.3

%malware execution directory%\a.bat This batch file is used to delete a file.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "ttool"="%WINDIR%\9129837.exe"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\hide_evr2]
   • "Type"=dword:00000001
     "Start"=dword:00000003
     "ErrorControl"=dword:00000000
     "ImagePath"=\??\%WINDIR%\hide_evr2.sys
     "DisplayName"="!!!!"

– [HKLM\SYSTEM\CurrentControlSet\Services\hide_evr2\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\hide_evr2\Enum]
   • "0"="Root\\LEGACY_HIDE_EVR2\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001



The following registry key is added:

– [HKCU\Software\Microsoft\InetData]
   • "k1"=%random character string%
   • "k2"=%random character string%

 Backdoor The following port is opened:
on a random UDP port in order to provide backdoor capabilities.


Contact server:
All of the following:
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Current malware status
    • Collected information described in stealing section

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Window information
    • Browser window

 Rootkit Technology Hides the following:
– Its own files
– Its own process
– Its own registry keys


Method used:
    • Hidden from Windows API

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Friday, September 22, 2006
Description updated by Andrei Ivanes on Thursday, October 19, 2006

Back . . . .