F-Secure
Tools
Trojan-Downloader:W32/Small.DOG
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Trojan-Downloader:W32/Small.DOG secretly downloads malware from a remote site to install and execute on the infected machine.
Distribution
Small.DOG may be delivered to the system in an infected file attachment accompanying German-language spam e-mail messages, such as below:
The attachment name used is Document.doc.exe. The attachment uses the Microsoft Word icon to disguise its executable nature and deceive the user into believing the attachment is a word document:
Execution
If the user executes the malware by clicking on the attachment, the Trojan creates a new instance of Svchost.exe using itself as the parameter.
It then drops the following file in the Windows System folder:
Small.DOG attempts to connect to one of the following websites to download an encrypted text file:
Distribution
Small.DOG may be delivered to the system in an infected file attachment accompanying German-language spam e-mail messages, such as below:
The attachment name used is Document.doc.exe. The attachment uses the Microsoft Word icon to disguise its executable nature and deceive the user into believing the attachment is a word document:
Execution
If the user executes the malware by clicking on the attachment, the Trojan creates a new instance of Svchost.exe using itself as the parameter.
It then drops the following file in the Windows System folder:
- {Copied filename of any file found on the Windows System directory}{Random character}.exe
- http://81.95.147.138/[...].txt
- http://docslv.com/gallery/bridge/[...].txt
- http://dreadwolf.net/[...].txt
- http://dynafilmes.com.br/imagens/3/[...].txt
- http://feldvossundpartner.de/images/[...].txt
- http://jobundfit.de/images/[...].txt
- http://leads4sales.co.uk/images/main/[...].txt
- http://mkpicture.de/images/[...].txt
- http://soloaguia.com/imagens/[...].txt
- http://spbfp.atlant.ru/sys/[...].txt
- http://spbfp.atlant.ru/sys/sys/[...].txt
- http://trendbusiness-at-home.de/images/[...].txt
It then decrypts the downloaded text file to reveal the following download path:
- apte-hamburg.de/Deutsch/Aktuell/{...}.exe
Small.DOG will then download and execute this file. The downloaded file is detected as Trojan-Spy:W32/BZub.BL
Registry
It installs the following registry entries as its autostart technique:
- [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
{Special Character}:=7<${Special Character}#72'6S =
"C:\%WinDirSys%\%FileName%.exe" - [HKEY_CURRENT_USER\Software\Microsoft\OLE]
{Special Character}:=7<${Special Character}#72'6S =
"C:\%WinDirSys%\%FileName%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
{Special Character}:=7<${Special Character}#72'6S =
"C:\%WinDirSys%\%FileName%.exe" - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
{Special Character}:=7<${Special Character}#72'6S =
"C:\%WinDirSys%\%FileName%.exe" - [HKEY__MACHINE\SOFTWARE\Microsoft\Ole]
{Special Character}:=7<${Special Character}#72'6S =
"C:\%WinDirSys%\%FileName%.exe" - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
{Special Character}:=7<${Special Character}#72'6S =
"C:\%WinDirSys%\%FileName%.exe" - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
{Special Character}:=7<${Special Character}#72'6S =
"C:\%WinDirSys%\%FileName%.exe" - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
{Special Character}:=7<${Special Character}#72'6S =
"C:\%WinDirSys%\%FileName% .exe"
Note: %WinDirSys% is by default C:\Windows\System32 and %FileName% represents the Copied filename plus the Random character.
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-08-23_01.