|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Trojan-Spy:W32/Small.BSL

|
|
|
| Radar |
 |
|
|
|
Summary
|
Trojan-Spy applications are usually standalone programs that allow malicious individuals to monitor activity on infected computers.
Trojan-Spy:Win32.Small.BSL installs a component designed to steal installed certificates. |
|
|
|
Detailed Description
|
Creates the following registry entries:
- HKEY_CLASSES_ROOT\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\InprocServer32
(Default) = "C:\WINDOWS\system32\acrobat.dll" ThreadingModel = "Apartment" (Using the name, Adobe Acrobat ActiveX Control) - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11} NoExplorer = 0x00000001 (1) - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Acrobat ActiveX Control = "Rundll32 acrobat.dll,AInit" It attempts to create the following registry entry:
- HKEY_LOCAL_MACHINE\Software\Acrobat\
"1" = "124.217.251.118" "2" = 0x00000050 (80) "3" = /NNN/parse.php It then drops a file into the following folder:
The dropped file is called acrobat.dll and is 51712 bytes in size.
The malware sets acrobat.dll with a hidden file attribute and changes its date properties to the current system time.
Small.BSL then displays the following fake/decoy dialog message:

When the dialog box is closed the malware will search for and terminate all running Internet Explorer processes. After this, it will launch Internet Explorer as a hidden process which has the malicious component attached.
This malicious component acts like a Browser Helper Object (BHO).
After the user has started Internet Explorer the malware will attempt to communicate with a server located at the following URL:
- http://124.217.[REMOVED]/NNN/parse.php
The BHO has the following functionality:
- Steals installed certificates
- Deletes user cookie files
- Updates itself
- Deletes files from C:\Documents and Settings
\%username%\Application Data\Macromedia\Flash Player\ - Updates registry information
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: April 16, 2008
|
|
|
|
|