Threat Description

Small.TL

Details

Aliases:Small.TL, Email-Worm.Win32.Bagle.al, Trojan-Dropper.Win32.Small.tl
Category: Malware
Type:
Platform: W32

Summary



This trojan dropper appeared on February 28th, 2005. The dropper was spread in e-mail messages, but we are not sure whether they were seeded e-mails or there was some Bagle variant behind that. At the moment of creation of this description we have not seen any Bagle variant that sends such a dropper in e-mails, however we are seeing 2 new variants that send our similar droppers.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The dropper is a PE executable file 18432 bytes long. The dropped file is a DLL file 15360 bytes long. Neither dropper, nor DLL are packed.

Installation to system

When the dropper's file is run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.

The dropper/injector creates 2 startup keys for its file in Windows Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 
 "winshost.exe" = "%winsysdir%\winshost.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "winshost.exe" = "%winsysdir%\winshost.exe"

where '%winsysdir%' represents Windows System folder. This is done to run the dropper every time Windows starts.

The downloader and its payload

The WIWSHOST.EXE file is mainly the downloader, but it also affects anti-virus and security software. When it is run, it first of all kills services with the following names:

wuauserv
 PAVSRV
 PAVFNSVR
 PSIMSVC
 Pavkre
 PavProt
 PREVSRV
 PavPrSrv
 SharedAccess
 navapsvc
 NPFMntor
 Outpost Firewall
 SAVScan
 SBService
 Symantec Core LC
 ccEvtMgr
 SNDSrvc
 ccPwdSvc
 ccSetMgr.exe
 SPBBCSvc
 KLBLMain
 avg7alrt
 avg7updsvc
 vsmon
 CAISafe
 avpcc
 fsbwsys
 backweb client - 4476822
 backweb client-4476822
 fsdfwd
 F-Secure Gatekeeper Handler Starter
 FSMA
 KAVMonitorService
 navapsvc
 NProtectService
 Norton Antivirus Server
 VexiraAntivirus
 dvpinit
 dvpapi
 schscnt
 BackWeb Client - 7681197
 F-Secure Gatekeeper Handler Starter
 FSMA
 AVPCC
 KAVMonitorService
 Norman NJeeves
 NVCScheduler
 nvcoas
 Norman ZANDA
 PASSRV
 SweepNet
 SWEEPSRV.SYS
 NOD32ControlCenter
 NOD32Service
 PCCPFW
 Tmntsrv
 AvxIni
 XCOMM
 ravmon8
 SmcService
 BlackICE
 PersFW
 McAfee Firewall
 OutpostFirewall
 NWService
 alerter
 sharedaccess
 NISUM
 NISSERV
 vsmon
 nwclnth
 nwclntg
 nwclnte
 nwclntf
 nwclntd
 nwclntc
 wuauserv
 navapsvc
 Symantec Core LC
 SAVScan
 kavsvc
 DefWatch
 Symantec AntiVirus Client
 NSCTOP
 Symantec Core LC
 SAVScan
 SAVFMSE
 ccEvtMgr
 navapsvc
 ccSetMgr
 VisNetic AntiVirus Plug-in
 McShield
 AlertManger
 McAfeeFramework
 AVExch32Service
 AVUPDService
 McTaskManager
 Network Associates Log Service
 Outbreak Manager
 MCVSRte
 mcupdmgr.exe
 AvgServ
 AvgCore
 AvgFsh
 awhost32
 Ahnlab task Scheduler
 MonSvcNT
 V3MonNT
 V3MonSvc
 FSDFWD

Then the trojan starts a thread that kills keys or values of the following Registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
 HKLM\SOFTWARE\Symantec
 HKLM\SOFTWARE\McAfee
 HKLM\SOFTWARE\KasperskyLab
 HKLM\SOFTWARE\Agnitum
 HKLM\SOFTWARE\Panda Software
 HKLM\SOFTWARE\Zone Labs

After that the worm starts a thread that scans all hard drives and deletes file with the following name:

mysuperprog.exe

Additionally this thread renames files belonging to security and anti-virus software. The following files get renamed:

CCSETMGR.EXE
 CCEVTMGR.EXE
 NAVAPSVC.EXE
 NPFMNTOR.EXE
 symlcsvc.exe
 SPBBCSvc.exe
 SNDSrvc.exe
 ccApp.exe
 ccl30.dll
 ccvrtrst.dll
 LUALL.EXE
 AUPDATE.EXE
 Luupdate.exe
 LUINSDLL.DLL
 RuLaunch.exe
 CMGrdian.exe
 Mcshield.exe
 outpost.exe
 Avconsol.exe
 Vshwin32.exe
 VsStat.exe
 Avsynmgr.exe
 kavmm.exe
 Up2Date.exe
 KAV.exe
 avgcc.exe
 avgemc.exe
 zonealarm.exe
 zatutor.exe
 zlavscan.dll
 zlclient.exe
 isafe.exe
 cafix.exe
 vsvault.dll
 av.dll
 vetredir.dll

The files mentioned above are renamed with those names:

C1CSETMGR.EXE
 CC1EVTMGR.EXE
 NAV1APSVC.EXE
 NPFM1NTOR.EXE
 s1ymlcsvc.exe
 SP1BBCSvc.exe
 SND1Srvc.exe
 ccA1pp.exe
 cc1l30.dll
 ccv1rtrst.dll
 LUAL1L.EXE
 AUPD1ATE.EXE
 Luup1date.exe
 LUI1NSDLL.DLL
 RuLa1unch.exe
 CM1Grdian.exe
 Mcsh1ield.exe
 outp1ost.exe
 Avc1onsol.exe
 Vshw1in32.exe
 Vs1Stat.exe
 Av1synmgr.exe
 kav12mm.exe
 Up222Date.exe
 K2A2V.exe
 avgc3c.exe
 avg23emc.exe
 zonealarm.exe
 zatutor.exe
 zlavscan.dll
 zo3nealarm.exe
 zatu6tor.exe
 zl5avscan.dll
 zlcli6ent.exe
 is5a6fe.exe
 c6a5fix.exe
 vs6va5ult.dll
 a5v.dll
 ve6tre5dir.dll

So all the affected software keeps working until next system restart. After restart all affected software will stop working because its files were renamed by the trojan.

After this the trojan terminates services with the following names:

SharedAccess
 wscsvc

The next step that the trojan does is to create a thread that kills processes with the following names:

AVXQUAR.EXE
 ESCANHNT.EXE
 UPGRADER.EXE
 AVXQUAR.EXE
 AVWUPD32.EXE
 AVPUPD.EXE
 CFIAUDIT.EXE
 UPDATE.EXE
 NUPGRADE.EXE
 MCUPDATE.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 FIREWALL.EXE
 ATUPDATER.EXE
 LUALL.EXE
 DRWEBUPW.EXE
 AUTODOWN.EXE
 NUPGRADE.EXE
 OUTPOST.EXE
 ICSSUPPNT.EXE
 ICSUPP95.EXE
 ESCANH95.EXE

Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as '_re_file.exe' and is run. The trojan tries to download from the following hardcoded locations:

http://www.amanit.ru/zo2.jpg
 http://www.anthonyflanagan.com/zo2.jpg
 http://www.approved1stmortgage.com/zo2.jpg
 http://www.argument.h12.ru/zo2.jpg
 http://www.arkebek.de/zo2.jpg
 http://www.artek.org/zo2.jpg
 http://www.asianfestival.nl/zo2.jpg
 http://www.astergut.at/zo2.jpg
 http://www.aviation-center.de/zo2.jpg
 http://www.bbsh.org/zo2.jpg
 http://www.besino.com/zo2.jpg
 http://www.bestbuy.de/zo2.jpg
 http://www.beta.mtw.ru/zo2.jpg
 http://www.bga-gsm.ru/zo2.jpg
 http://www.blessino.com/zo2.jpg
 http://www.blueeyeinc.com/zo2.jpg
 http://www.breaklight.be/zo2.jpg
 http://www.brzesko.net.pl/zo2.jpg
 http://www.catsystem.com.kg/zo2.jpg
 http://www.cdnpartner.com.pl/zo2.jpg
 http://www.ceskyhosting.cz/zo2.jpg
 http://www.channeland.com/zo2.jpg
 http://www.compsolutionstore.com/zo2.jpg
 http://www.concept.kg/zo2.jpg
 http://www.corpsite.com/zo2.jpg
 http://www.couponcapital.net/zo2.jpg
 http://www.DarrkSydebaby.com/zo2.jpg
 http://www.dehut-westerhoven.nl/zo2.jpg
 http://www.dhl.kg/zo2.jpg
 http://www.dierollendedisco.de/zo2.jpg
 http://www.discobaradventure.be/zo2.jpg
 http://www.e-nfo.com/zo2.jpg
 http://www.e-power.com.cn/zo2.jpg
 http://www.ecobank.kg/zo2.jpg
 http://www.elenalazar.com/zo2.jpg
 http://www.epicbiz.com/zo2.jpg
 http://www.europa.kg/zo2.jpg
 http://www.everett.wednet.edu/zo2.jpg
 http://www.externet.hu/zo2.jpg
 http://www.forester.kg/zo2.jpg
 http://www.fotocliparts.de/zo2.jpg
 http://www.fotonw.org/zo2.jpg
 http://www.freesites.com.br/zo2.jpg
 http://www.funbunker.de/zo2.jpg
 http://www.funworld.tv/zo2.jpg
 http://www.gameser.com@share.gameser.com/zo2.jpg
 http://www.gci-bln.de/zo2.jpg
 http://www.gcnet.ru/zo2.jpg
 http://www.giantrevenue.com/zo2.jpg
 http://www.himpsi.org/zo2.jpg
 http://www.i3dvr.com/zo2.jpg
 http://www.ibigmart.net/zo2.jpg
 http://www.idb-group.net/zo2.jpg
 http://www.illusionoflife.net/zo2.jpg
 http://www.infocuspromo.com/zo2.jpg
 http://www.irinaswelt.de/zo2.jpg
 http://www.jansenboiler.com/zo2.jpg
 http://www.jasnet.pl/zo2.jpg
 http://www.jcribeiro.com/zo2.jpg
 http://www.jewelleryamberproducts.com/zo2.jpg
 http://www.jimvann.com/zo2.jpg
 http://www.jldr.ca/zo2.jpg
 http://www.jordanramey.net/zo2.jpg
 http://www.joy-musik-sound.de/zo2.jpg
 http://www.justrepublicans.com/zo2.jpg
 http://www.katel.kg/zo2.jpg
 http://www.knicks.nl/zo2.jpg
 http://www.koebers.pl/zo2.jpg
 http://www.kogaionon.com/zo2.jpg
 http://www.kplus.kg/zo2.jpg
 http://www.kradtraining.de/zo2.jpg
 http://www.kranenberg.de/zo2.jpg
 http://www.kranenberg.de:113547@/zo2.jpg
 http://www.kstrus.com.pl/zo2.jpg
 http://www.ktsonline.de/zo2.jpg
 http://www.lahelaino.com/zo2.jpg
 http://www.lawform.com.au/zo2.jpg
 http://www.leetexgroup.com/zo2.jpg
 http://www.leshrak.de/zo2.jpg
 http://www.leshrak.de:prophets@/zo2.jpg
 http://www.logoseiten.de/zo2.jpg
 http://www.magicbottle.com.tw/zo2.jpg
 http://www.mcuserver.cz/zo2.jpg
 http://www.mega-spass.com/zo2.jpg
 http://www.mega.kg/zo2.jpg
 http://www.mepbisu.de/zo2.jpg
 http://www.mepmh.de/zo2.jpg
 http://www.mtfdesign.com/zo2.jpg
 http://www.mtransit.kg/zo2.jpg
 http://www.neotech.kg/zo2.jpg
 http://www.nikonfotoshare.com/zo2.jpg
 http://www.novosti.kg/zo2.jpg
 http://www.ok.kg/zo2.jpg
 http://www.onepositiveplace.org/zo2.jpg
 http://www.online.kg/zo2.jpg
 http://www.orangesuburban.5u.com/zo2.jpg
 http://www.otv.ch/zo2.jpg
 http://www.pageantpage.com/zo2.jpg
 http://www.pankration.com/zo2.jpg
 http://www.para-agility.com/zo2.jpg
 http://www.pdxracing.net/zo2.jpg
 http://www.pfadfinder-leobersdorf.com/zo2.jpg
 http://www.pipni.cz/zo2.jpg
 http://www.pjwstk.edu.pl/zo2.jpg
 http://www.polizeimotorrad.de/zo2.jpg
 http://www.proway-consulting.com/zo2.jpg
 http://www.pugetsoundyc.org/zo2.jpg
 http://www.pyrlandia-boogie.pl/zo2.jpg
 http://www.qphoto.co.za/zo2.jpg
 http://www.raecoinc.com/zo2.jpg
 http://www.realgps.com/zo2.jpg
 http://www.realty.kg/zo2.jpg
 http://www.redlightpictures.com/zo2.jpg
 http://www.reliance-yachts.com/zo2.jpg
 http://www.relocationflorida.com/zo2.jpg
 http://www.rentalstation.com/zo2.jpg
 http://www.rieraquadros.com.br/zo2.jpg
 http://www.roaming.kg/zo2.jpg
 http://www.sacohalle.be/zo2.jpg
 http://www.scanex-medical.fi/zo2.jpg
 http://www.scoping4success.com/zo2.jpg
 http://www.sert.ru/zo2.jpg
 http://www.sigi.lu/zo2.jpg
 http://www.spadochron.pl/zo2.jpg
 http://www.ssc.kg/zo2.jpg
 http://www.ssmifc.ca/zo2.jpg
 http://www.stadtmeyers.de/zo2.jpg
 http://www.stadtmeyers.de:R2D2c3po@/zo2.jpg
 http://www.sterlingirb.com/zo2.jpg
 http://www.sunassetholdings.com/zo2.jpg
 http://www.szantomierz.art.pl/zo2.jpg
 http://www.szosa.pl/zo2.jpg
 http://www.tambourenvereine.ch/zo2.jpg
 http://www.tarnow.opoka.org.pl/zo2.jpg
 http://www.tc-muraene.com/zo2.jpg
 http://www.tc-muraene.com:hunter@/zo2.jpg
 http://www.theroyalregistry.com/zo2.jpg
 http://www.transportation.gov.bh/zo2.jpg
 http://www.tumar.kg/zo2.jpg
 http://www.tunguska.hu/zo2.jpg
 http://www.turkeyhomes.com/zo2.jpg
 http://www.turkeyhomes.com@/zo2.jpg
 http://www.ulpiano.org/zo2.jpg
 http://www.unicity.pl/zo2.jpg
 http://www.vbw.info/zo2.jpg
 http://www.velezcourtesymanagement.com/zo2.jpg
 http://www.vorrix.com/zo2.jpg
 http://www.webpark.pl/zo2.jpg
 http://www.wecompete.com/zo2.jpg
 http://www.wp.pl/zo2.jpg
 http://www.wwwebad.com/zo2.jpg
 http://www.xpager321.wz.cz/zo2.jpg
 http://www.yamdiamonds.com/zo2.jpg
 http://www.zander-yachting.com/zo2.jpg

We are monitoring these locations in order to catch malware that the trojan's author is going to put there.



Detection


F-Secure Anti-Virus detects this malware starting from the following update:
Detection Type: PC
Database: 2005-02-28_01



Description Created: Alexey Podrezov, March 1st, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More