Virus:TR/Dldr.Tiny.brm
Date discovered:14/07/2008
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:8.192 Bytes
MD5 checksum:6b4ef50e3e21205685cea919ebf93476
IVDF version:7.00.05.107 - Monday, July 14, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan Horse
   •  Kaspersky: Trojan-Downloader.Win32.Obitel.a
   •  TrendMicro: TROJ_DLOADR.GG
   •  F-Secure: Trojan-Downloader.Win32.Obitel.a
   •  Sophos: Troj/Agent-HFU
   •  Eset: Win32/TrojanDownloader.Tiny.NDM
   •  Bitdefender: Trojan.Downloader.Gadja.C


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file

 Files It copies itself to the following location:
   • %SYSDIR%\userinit.exe



It renames the following file:

    •  %SYSDIR%\userinit.exe into %SYSDIR%\userini.exe



It deletes the initially executed copy of itself.

%TEMPDIR%\%three-digit random character string%.tmp Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Tiny.brm.1




It tries to download a file:

– The location is the following:
   • http://fixaserver.ru/**********gate.php**********
Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
One of the following:
   • Ihr UPS Paket %random character string%
   • UPS Paket %random character string%



Body:
The body of the email is the following:

   • Guten Tag,
     leider konnten wir ihren Paket gesendet am 01. Juli nicht zustellen, da
     die Adresse des Empfangers nicht existiert. Drucken Sie bitte den Lieferschein im Anhang dieser Mail aus,
     und holen Sie ihr Paket bei uns ab.

   • Dear Sir/Madam,
     
     Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct.
     Please print out the invoice copy attached and collect the package at our office
     
     Your UPS


Attachment:
The filename of the attachment is one of the following:
   • UPS_Lieferschein_8102.zp
   • ups_invoice.zip

The attachment is an archive containing a copy of the malware itself.

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Thomas Wegele on Tuesday, July 15, 2008
Description updated by Thomas Wegele on Tuesday, July 15, 2008

Back . . . .