Virus:TR/Small.DBY.AF.3
Date discovered:14/02/2007
Type:Trojan
Subtype:SPY
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:37.747 Bytes
MD5 checksum:8617ab4e033c0853cf1766de30cf6589
VDF version:6.37.01.91
IVDF version:6.37.01.92 - Wednesday, February 14, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Email-Worm.Win32.Zhelatin.ab
   •  Eset: Win32/Nuwar.gen worm
   •  Bitdefender: Trojan.Peed.ET


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files

 Files The following files are created:

– Non malicious file:
   • %SYSDIR%\wincom32.ini

%SYSDIR%\wincom32.sys Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Small.DBY.M.1

 Registry The following registry keys are added in order to load the service after reboot:

– HKLM\System\CurrentControlSet\Services\wincom32\ImagePath
   • "\??\%SYSDIR%\wincom32.sys"

 Network Infection IP address generation:
It creates random IP addresses and tries to establish a connection with them.

 Injection –  It injects the following file into a process: wincom32.sys

    Process name:
   • %SYSDIR%\services.exe


 Rootkit Technology Hides the following:
– Its own files
– Its own registry key


Method used:
    • Hidden from Windows API

Hooks the following API functions:
   • ZwQueryDirectoryFile
   • ZwEnumerateKey
   • ZwEnumerateValueKey

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PEPACK

Description inserted by Viktor Graeber on Wednesday, April 25, 2007
Description updated by Viktor Graeber on Friday, April 27, 2007

Back . . . .