Summary

The 'Small.wy' trojan dropper first was reported to us from Denmark on April 13th, 2005. According to the report, it was originally downloaded from an X-Rated website. The trojan dropped a downloader that was designed to download additional trojans and adware to an affected a computer from 3 websites. Up to now we have several reports from customers infected with that trojan.

Disinfection

To get rid of the trojan itself and the files that are downloaded by the trojan, it is enough to delete them from an infected hard disk. The latest versions of F-Secure Anti-Virus can automatically disable (rename) the infected files. If automatic disinfection fails, please select 'Delete' disinfection action for all files described below, when they are detected. Instructions are here:

http://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec...

Please remember to restart a computer after disinfection.

Additional Details

The original file that was submitted to us is called 'codec.exe'. It is a Russian-made trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.wy'. The dropper drops another executable file with the 'msmsgs.exe' name into Windows System folder and runs it. It also creates a startup key for the dropped file:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "MSN Messenger" = "%WinSysDir%\msmsgs.exe"

The dropped file is a trojan downloader. It is now detected as 'Trojan-Downloader.Win32.Agent.lx'. When run, it creates a new startup key for itself:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
 "notepad.exe" = "msmsgs.exe"

Also it adds itself to the SHELL= variable in the following key:

 [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

The trojan downloader tries to inject its code into Windows Explorer and then connects to one of the following websites:

 vnp7s.net
 zxserv0.com
 dumpserv.com

First the trojan downloader just connects and reads the response from the website. If the response is equal to '0b723718-9389-4ca8-86f4-632a4bbc88a4', the trojan connects to the site again and sends information by the specially constructed URL (supplies unique ID, country info and language of operating system). As a response, the trojan gets a list of files to download. Last time we checked it, the website contained the following list of files:

 T54111925.so
 H53131712.so
 A54102200.so
 S53252000.so
 A04111925.so
 M54111925.so
 P54111925.so

After that the trojan downloader connects to the site again to download all listed files. The downloaded files are stored in the '\%WinSysDir%\LogFiles\' folder. The files are activated after they are downloaded. All the above mentioned servers contain the same functionality and files as far as we could see.

The 'A04111925.so' file is a trojan that adds many websites to the Trusted Internet Zone area. It is now detected as 'Trojan.Win32.LowZones.ba'. Here's an example list of the sites that are added (the actual list is much longer):

 www.niger.ru
 awmdabest.com
 20x2p.com
 love-catalog.net

Also the trojan adds certain ranges of IP addresses to the Trusted Internet Zone Ranges, here's an example:

 69.50.191.*
 69.50.189.*
 69.50.187.*
 69.50.182.*

The 'H53131712.so' file is a trojan that modifies HOSTS file. It is now detected as 'Trojan.Win32.Qhost.br'. This trojan modifies Windows HOSTS file so that connection to certain websites (probably competitors' websites) point to the 'localhost' and, as a result, is denied. Here's an example of such modification (the full list is much longer):

 127.0.0.1     e-finder.cc
 127.0.0.1     fast-look.com
 127.0.0.1     adulthell.com
 127.0.0.1     datingforlove.org
 127.0.0.1     meetyourfriend.biz

The 'A54102200.so' file is a trojan dropper. It is now detected as 'Trojan-Downloader.Win32.Agent.le'. It drops 2 files - a trojan and a trojan downloader. The trojan's file is named 'wp.exe' and it is dropped to the root of C: drive. This trojan is now detected as 'Trojan.Win32.Agent.ct'. The trojan extracts the 'wp.bmp' image file to the root folder and sets this file as a wallpaper. The image shows a fake error message that resembles a message that older Windows versions were showing in case of a critical error. The trojan also creates a startup key for itself in System Registry.

The trojan downloder is dropped as 'Security iGuard.exe' file and it is supposed to download some third-party software from the 'securityguard.com' website (adware makers). The downloader is already detected as 'Trojan-Downloader.Win32.Agent.le'.

The 'S53252000.so' file is trojan dropper. It is already detected as 'Trojan-Dropper.Win32.Small.xc'. It drops a file named 'ole32vbs.exe' into Windows System folder and runs it. It also drops a few ICO (icon) files to the same folder.

The 'ole32vbs.exe' file is a trojan that adds several URLs with the search sites to Internet Explorer Favourites. This file is already detected as 'Trojan.Win32.Favadd.t'.

The 'M54111925.so' file is another trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.xa'. It terminates Internet Explorer's process and then drops and runs a file named 'helper.exe' to Windows System folder. This file is an intrusive adware that is now detected as 'Trojan.Win32.Fakespy.a'. It creates a startup key for its file in the Registry and from time to time shows fake alerts. The URL from such alert messages point to a search engine:

 http://msxpsupport.com/soft/search.php?said=dsm&qq=<value>

where <value> can be one of the following (depends on the alert type):

 spyware
 network security
 popup blocker
 evidence eliminator download
 internet speed
 usb adapter
 backup software
 antivirus
 disk clean up
 "net detective
 isp
 windows font
 anti spam
 ups
 wireless internet

The website provides URLs to other websites that offer different products or software for download.

The 'T54111925.so' file is yet another trojan dropper. It is now detected as 'Trojan-Dropper.Win32.Small.xd'. It creates a subfolder named 'Virtual Maid" under the 'Program Files' folder and drops 3 BMP images, one batch file, one XML and one DLL files there. The DLL file is an adware that is registered as a system component and acts as a toolbar for Internet Explorer. The batch file should uninstall this adware package from a system, however it did not work on our test system.

The 'P54111925.so' file is a trojan dropper. It is detected as 'Trojan-Dropper.Win32.Small.xb'. It drops 2 files to Windows folder and runs them:

 popuper.exe
 sites.ini

One file is dropped to Windows System folder and is run too:

 intmonp.exe

The 'intmonp.exe' process monitors the 'popuper.exe' process and restarts it in case it is killed. The 'popuper.exe' process, in its turn, monitors the 'intmonp.exe' process and restarts it if it is killed. Moreover, the Registry startup keys for the 'pupuper.exe' file and its executable file are re-created if they are deleted. So it is quite difficult to get rid of these files manually. Both files are now detected as 'Trojan.Win32.Puper.a'.

The 'popuper.exe' file is an intrusive adware that shows popups with URLs taken from the 'sites.ini' file. The 'sites.ini' file contains a list of URLs, for example:

 http://www.instantsearch.cc/pop/spyware2/search.php?said=d010&qq=spyware

When this URL is accessed, a fake alert message is shown, for example:

 Your Windows is infected. You must choose and download your
 spyware removal from Windows authorized list. Please do it here
 and try for free to be absolutely sure in its' real effect:

and then goes a list of sites where different software can be downloaded.

It should be noted that all trojan droppers delete their files after they drop their payload.

To sum it up, the whole package was created to install adware components to a system, to prevent a user from accessing competitors' websites, to provide fake information to a user and to trick him/her to download additional software from friendly websites. We have reported this case to the authorities.

Detection

FSAV detects the trojan and the files that it downloads to a computer starting from the following updates:

[FSAV_Database_Version]
Version=2005-04-14_01



Technical Details: Alexey Podrezov, April 14th, 2005;