Virus:TR/Dldr.Small.zou
Date discovered:01/08/2008
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
File size:130.048 Bytes
IVDF version:7.00.05.202 - Friday, August 1, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.Small.zou
   •  Eset: Win32/TrojanDownloader.Agent.OBK trojan
   •  Bitdefender: Trojan.Agent.AJKY


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops a file
   • Drops malicious files
   • Registry modification


It displays the content of a created pictorial file:


 Files It copies itself to the following location:
   • %SYSDIR%\lphc1boj0e39c.exe



The following files are created:

– Non malicious file:
   • %SYSDIR%\phc1boj0e39c.bmp

%SYSDIR%\blphc1boj0e39c.scr Furthermore it gets executed after it was fully created. Detected as: JOKE/BSOD.C

%TEMPDIR%\.tt1.tmp.vbs Furthermore it gets executed after it was fully created. Detected as: VBS/Agent.1002




It tries to download a file:

– The location is the following:
   • http://www.avxp2008.com/images/**********.gif
It is saved on the local hard drive under: %TEMPDIR%\.tt4.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: DR/FraudTool.MX

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • lphc1boj0e39c="%SYSDIR%\lphc1boj0e39c.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Software Notifier]
   • InstallationID="9528fec3-f3c9-4201-91c6-ff859a0641b2"

– [HKCU\Software\Sysinternals\Bluescreen Screen Saver]
   • EulaAccepted=dword:00000001



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • NoDispBackgroundPage=dword:00000001
   • NoDispScrSavPage=dword:00000001

– [HKCU\Control Panel\Colors]
   New value:
   • Background="0 0 255"

– [HKCU\Control Panel\Desktop]
   New value:
   • WallpaperStyle="0"
     TileWallpaper="0"
     Wallpaper="%SYSDIR%\phc1boj0e39c.bmp"
     OriginalWallpaper="%SYSDIR%\phc1boj0e39c.bmp"
     SCRNSAVE.EXE="%SYSDIR%\blphc1boj0e39c.scr"
     ScreenSaveActive="1"
     ScreenSaveTimeOut="600"

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Alexander Neth on Tuesday, August 5, 2008
Description updated by Philipp Wolf on Tuesday, August 5, 2008

Back . . . .