1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Backdoor:W32/Small.H

Backdoor:W32/Small.H

Name : Backdoor:W32/Small.H
Detection Names : Virus.Win32.Small.h
Size:48267
Category:Malware
Type:Backdoor
Type:Email-Worm, Virus
Platform:W32
Date of Discovery:July 17, 2006

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.

Disinfection

Small.H duplicates file names and processes of legitimate Windows applications.

Windows Task Manager does not show distinctive details:



In order to determine the Small.H processes from the Windows processes, an enhanced Task Manager is needed. Process Explorer, freeware from Sysinternals, is one such application. Note: This is a Third Party application, the link below will direct you away from F-Secure's website.

1. Download Process Explorer from Sysinternals website: http://www.sysinternals.com/Utilities/ProcessExplorer.html
The application is a standalone exe file and does not require installation.

2. Run Process Explorer, in the process list find the following processes and end them by using the Kill option from the context menu (right-click).
  •  csrss.exe
  •  lsass.exe
  •  winlogon.exe

The screenshot below shows the targets highlighted in purple. Note the use of the folder icons unlike the legitimate Windows files. Do not end the Windows processes with the same names also seen in the screenshot.



3. Remove the following files from the hard drive:

  •  C:\[Documents and Settings]\[Current User]\winlogon.exe
  •  C:\[Documents and Settings]\[Current User]\csrss.exe
  •  C:\[Documents and Settings]\[Current User]\Local Settings\Temp\FolderData.exe
  •  C:\RECYCLER\lsass.exe
  •  C:\RECYCLER\msinfo\msinfo.exe

[Documents and Settings] is by default C:\Documents and Settings\ for Windows XP installations and C:\Users\ on 2K/Vista installation. [Current User] folder name is the same as the currently logged in user name.
4. Download SmallH_RegCleaner.zip, then extract and merge "SmallH_RegCleaner.reg" into your registry by double-clicking on the file.

Additional Details

Small.H is a virus with an internal spamming engine and backdoor functionality. Please see the sections below for more details.

Small.H, originally named lsass.exe, spreads itself using an internal spaming-engine that is controlled through a previously set-up backdoor.

It fools the user into executing its exe file by using a Windows folder icon and file names such as:

  •  Data.exe
  •  Documents.exe
  •  HotPictures.exe
  •  HotXXX.exe
  •  ImageGirls.exe
  •  SexyBoy.exe
  •  SexyGirls.exe
  •  Songs.exe

Small.H creates several copies of itself:

  •  C:\[Documents and Settings]\[Current User]\csrss.exe
  •  C:\[Documents and Settings]\[Current User]\Local Settings\Temp\FolderData.exe
  •  C:\[Documents and Settings]\[Current User]\winlogon.exe
  •  C:\RECYCLER\lsass.exe
  •  C:\RECYCLER\msinfo\msinfo.exe

It creates a number of autostart keys in the registry such as:

  •  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
              Added value to "System"
              Added value to "Userinit"
  •  [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
              Added value to "load"
  •  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
              Added value to (Default)
  •  Service key tree:
             o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsInfo]