Small.wy, Trojan.Win32.Qhost.br, Trojan-Downloader.Win32.Agent.le
Trojan.Win32.LowZones.ba, Trojan.Win32.Fakespy.a, Trojan.Win32.Puper.a
The 'Small.wy' trojan dropper first was reported to us from Denmark on April 13th, 2005. According to the report, it was originally downloaded from an X-Rated website. The trojan dropped a downloader that was designed to download additional trojans and adware to an affected a computer from 3 websites. Up to now we have several reports from customers infected with that trojan.
Disinfection & Removal
To get rid of the trojan itself and the files that are downloaded by the trojan, it is enough to delete them from an infected hard disk. The latest versions of F-Secure Anti-Virus can automatically disable (rename) the infected files. If automatic disinfection fails, please select 'Delete' disinfection action for all files described below, when they are detected. Instructions are here:
Please remember to restart a computer after disinfection.
The original file that was submitted to us is called 'codec.exe'. It is a Russian-made trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.wy'. The dropper drops another executable file with the 'msmsgs.exe' name into Windows System folder and runs it. It also creates a startup key for the dropped file:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "MSN Messenger" = "%WinSysDir%\msmsgs.exe"
The dropped file is a trojan downloader. It is now detected as 'Trojan-Downloader.Win32.Agent.lx'. When run, it creates a new startup key for itself:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] "notepad.exe" = "msmsgs.exe"
Also it adds itself to the SHELL= variable in the following key:
The trojan downloader tries to inject its code into Windows Explorer and then connects to one of the following websites:
vnp7s.net zxserv0.com dumpserv.com
First the trojan downloader just connects and reads the response from the website. If the response is equal to '0b723718-9389-4ca8-86f4-632a4bbc88a4', the trojan connects to the site again and sends information by the specially constructed URL (supplies unique ID, country info and language of operating system). As a response, the trojan gets a list of files to download. Last time we checked it, the website contained the following list of files:
T54111925.so H53131712.so A54102200.so S53252000.so A04111925.so M54111925.so P54111925.so
After that the trojan downloader connects to the site again to download all listed files. The downloaded files are stored in the '\%WinSysDir%\LogFiles\' folder. The files are activated after they are downloaded. All the above mentioned servers contain the same functionality and files as far as we could see.
The 'A04111925.so' file is a trojan that adds many websites to the Trusted Internet Zone area. It is now detected as 'Trojan.Win32.LowZones.ba'. Here's an example list of the sites that are added (the actual list is much longer):
www.niger.ru awmdabest.com 20x2p.com love-catalog.net
Also the trojan adds certain ranges of IP addresses to the Trusted Internet Zone Ranges, here's an example:
69.50.191.* 69.50.189.* 69.50.187.* 69.50.182.*
The 'H53131712.so' file is a trojan that modifies HOSTS file. It is now detected as 'Trojan.Win32.Qhost.br'. This trojan modifies Windows HOSTS file so that connection to certain websites (probably competitors' websites) point to the 'localhost' and, as a result, is denied. Here's an example of such modification (the full list is much longer):
127.0.0.1 e-finder.cc 127.0.0.1 fast-look.com 127.0.0.1 adulthell.com 127.0.0.1 datingforlove.org 127.0.0.1 meetyourfriend.biz
The 'A54102200.so' file is a trojan dropper. It is now detected as 'Trojan-Downloader.Win32.Agent.le'. It drops 2 files - a trojan and a trojan downloader. The trojan's file is named 'wp.exe' and it is dropped to the root of C: drive. This trojan is now detected as 'Trojan.Win32.Agent.ct'. The trojan extracts the 'wp.bmp' image file to the root folder and sets this file as a wallpaper. The image shows a fake error message that resembles a message that older Windows versions were showing in case of a critical error. The trojan also creates a startup key for itself in System Registry.
The trojan downloder is dropped as 'Security iGuard.exe' file and it is supposed to download some third-party software from the 'securityguard.com' website (adware makers). The downloader is already detected as 'Trojan-Downloader.Win32.Agent.le'.
The 'S53252000.so' file is trojan dropper. It is already detected as 'Trojan-Dropper.Win32.Small.xc'. It drops a file named 'ole32vbs.exe' into Windows System folder and runs it. It also drops a few ICO (icon) files to the same folder.
The 'ole32vbs.exe' file is a trojan that adds several URLs with the search sites to Internet Explorer Favourites. This file is already detected as 'Trojan.Win32.Favadd.t'.
The 'M54111925.so' file is another trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.xa'. It terminates Internet Explorer's process and then drops and runs a file named 'helper.exe' to Windows System folder. This file is an intrusive adware that is now detected as 'Trojan.Win32.Fakespy.a'. It creates a startup key for its file in the Registry and from time to time shows fake alerts. The URL from such alert messages point to a search engine:
where <value> can be one of the following (depends on the alert type):
spyware network security popup blocker evidence eliminator download internet speed usb adapter backup software antivirus disk clean up "net detective isp windows font anti spam ups wireless internet
The website provides URLs to other websites that offer different products or software for download.
The 'T54111925.so' file is yet another trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.xd'. It creates a subfolder named 'Virtual Maid" under the 'Program Files' folder and drops 3 BMP images, one batch file, one XML and one DLL files there. The DLL file is an adware that is registered as a system component and acts as a toolbar for Internet Explorer. The batch file should uninstall this adware package from a system, however it did not work on our test system.
The 'P54111925.so' file is a trojan dropper. It is detected as 'Trojan-Dropper.Win32.Small.xb'. It drops 2 files to Windows folder and runs them:
One file is dropped to Windows System folder and is run too:
The 'intmonp.exe' process monitors the 'popuper.exe' process and restarts it in case it is killed. The 'popuper.exe' process, in its turn, monitors the 'intmonp.exe' process and restarts it if it is killed. Moreover, the Registry startup keys for the 'pupuper.exe' file and its executable file are re-created if they are deleted. So it is quite difficult to get rid of these files manually. Both files are now detected as 'Trojan.Win32.Puper.a'.
The 'popuper.exe' file is an intrusive adware that shows popups with URLs taken from the 'sites.ini' file. The 'sites.ini' file contains a list of URLs, for example:
When this URL is accessed, a fake alert message is shown, for example:
Your Windows is infected. You must choose and download your spyware removal from Windows authorized list. Please do it here and try for free to be absolutely sure in its' real effect:
and then goes a list of sites where different software can be downloaded.
It should be noted that all trojan droppers delete their files after they drop their payload.
To sum it up, the whole package was created to install adware components to a system, to prevent a user from accessing competitors' websites, to provide fake information to a user and to trick him/her to download additional software from friendly websites. We have reported this case to the authorities.
FSAV detects the trojan and the files that it downloads to a computer starting from
the following updates:
Detection Type: PC
Description Created: Alexey Podrezov, April 14th, 2005