F-Secure Virus Descriptions : Small.avu
[Summary] | [Detailed Description] | [Detection]
|
|
|
| NAME: | Small.avu |
| ALIAS: | Trojan-Downloader.Win32.Small.avu, W32/Small.avu |
| ALIAS: | Backdoor.Win32.Dumador.bl, Backdoor.Win32.Dumadoor.bl |
We got several reports about the 'Small.avu' trojan downloader on
May 24th, 2005. According to those reports the trojan was spammed
to a large number of people in e-mail messages. The trojan
downloader is programmed to download and run a Dumador backdoor
variant from a website.
The trojan downloader's file is a PE executable 1648 bytes long,
packed with FSG file compressor.
According to the reports the trojan downloader was spammed with
e-mail messages that looked like that:
Subject:
ISTE RUS CITIRLAR
Body:
SELAM BEYLER!!!!
NATASHALAR SIZLERI BEKLIYOR::::..
HERZAMAN BIR RUSYALI NATASHA ILE SEX DOLU BIR GECE YASAMAYI HEPINIZ
DUSUNMUSSUNUZDUR.ISTE FIRSAT.BU GERCEKLESEBILIR,YUZLERCE RUS KIZI
TURKIYEYE GELMEK ICIN SIZLERI BEKLIYOR.7/24 SIZINLE VE EMRINIZDE.
MAILIMIZDE KIZLARIMIZIN RESIMLERINI GOREBILIRSINIZ.BEGENIN,SECIN.VE SIZIN OLSUN.
GERISI SIZE KALMIS:::.
The trojan downloader's file was attached to these messages as
'ATTACH.RAR.EXE' file. When this file is run by a user, it
attempts to download and run a variant of Dumador backdoor from
the following website:
tr.distributed-hosting.com
We have reported the abuse to the ISP that hosts that website.
The downloaded Dumador backdoor variant is detected as
'Backdoor.Win32.Dumador.bl' with the following F-Secure
Anti-Virus update:
[FSAV_Database_Version]
Version=2005-04-27_01
The trojan downloader is detected as 'W32/Small.avu' with the
following F-Secure Anti-Virus update:
[FSAV_Database_Version]
Version=2005-05-24_02
Writeup:
Alexey Podrezov, May 24th, 2005;
F-Secure Corporation
|
