Threat Description

Small.QP

Details

Aliases:Small.QP
Category:Malware
Type:Trojan-Dropper
Platform: W32

Summary



Small.QP copies itself to the Windows folder and attempts to download and install other malware to the system.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Upon execution, this malware creates the mutex _Win_Loader_ to ensure that only one instance of itself is running in memory.Additionally, it drops the following files in the affected system:

  • %windir%\winlogon32.exe - A copy of itself (Detected as Trojan-Dropper.Win32.Small.qp)
  • %windir%\winlogon32.dll - Another malware file (Detected as Trojan-Downloader.Win32.Small.anj)
  • %windir%\prefoct.dat - An empty file

As a stealth mechanism, it loads the dropped DLL, winlogon32.dll, under the legitimate process: lsass.exe.Trojan-Downloader.Win32.Small.anj, on the other hand, creates the mutex _Win_Loader__Win_Loader_.This malware attempts to connect to the following web sites to possibly download other malicious components:

  • http://www.max-stats.com/l/[REMOVED].php?i=21 Data downloaded is saved in the file, %windir%\prefoct.dat
  • http://www.teen4-sex.com/[REMOVED].dat Data downloaded is saved in the file, %wndir%\_tmp0232.exe

Small.QP then executes the downloaded file, _tmp0232.exe. Note: Both download sites are unavailable at the time of writing.There are additional details on Small.QP on F-Secure's Weblog.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More