F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Small.avu

[Summary] | [Detailed Description] | [Detection]



NAME:Small.avu
ALIAS:Trojan-Downloader.Win32.Small.avu, W32/Small.avu
ALIAS:Backdoor.Win32.Dumador.bl, Backdoor.Win32.Dumadoor.bl

Summary

We got several reports about the 'Small.avu' trojan downloader on May 24th, 2005. According to those reports the trojan was spammed to a large number of people in e-mail messages. The trojan downloader is programmed to download and run a Dumador backdoor variant from a website.

Detailed Description

The trojan downloader's file is a PE executable 1648 bytes long, packed with FSG file compressor.

According to the reports the trojan downloader was spammed with e-mail messages that looked like that:

Subject:

 ISTE RUS CITIRLAR

Body:

 SELAM BEYLER!!!!
 NATASHALAR SIZLERI BEKLIYOR::::..
 HERZAMAN BIR RUSYALI NATASHA ILE SEX DOLU BIR GECE YASAMAYI HEPINIZ
 DUSUNMUSSUNUZDUR.ISTE FIRSAT.BU GERCEKLESEBILIR,YUZLERCE RUS KIZI
 TURKIYEYE GELMEK ICIN SIZLERI BEKLIYOR.7/24 SIZINLE VE EMRINIZDE.
 MAILIMIZDE KIZLARIMIZIN RESIMLERINI GOREBILIRSINIZ.BEGENIN,SECIN.VE SIZIN OLSUN.
 GERISI SIZE KALMIS:::.

The trojan downloader's file was attached to these messages as 'ATTACH.RAR.EXE' file. When this file is run by a user, it attempts to download and run a variant of Dumador backdoor from the following website:

 tr.distributed-hosting.com

We have reported the abuse to the ISP that hosts that website.

Back to the Top


Detection

The downloaded Dumador backdoor variant is detected as 'Backdoor.Win32.Dumador.bl' with the following F-Secure Anti-Virus update:

[FSAV_Database_Version]

Version=2005-04-27_01

The trojan downloader is detected as 'W32/Small.avu' with the following F-Secure Anti-Virus update:

[FSAV_Database_Version]

Version=2005-05-24_02

Back to the Top


Writeup: Alexey Podrezov, May 24th, 2005;

F-Secure Corporation