Trojan-Downloader:W32/Small.DOG

Threat description

Details

CATEGORYMalware
TYPETrojan-Downloader
DATE DISCOVEREDAugust 22, 2006

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Trojan-Downloader:W32/Small.DOG secretly downloads malware from a remote site to install and execute on the infected machine.

Distribution

Small.DOG may be delivered to the system in an infected file attachment accompanying German-language spam e-mail messages, such as below:

The attachment name used is Document.doc.exe. The attachment uses the Microsoft Word icon to disguise its executable nature and deceive the user into believing the attachment is a word document:

Execution

If the user executes the malware by clicking on the attachment, the Trojan creates a new instance of Svchost.exe using itself as the parameter.

It then drops the following file in the Windows System folder:

  • {Copied filename of any file found on the Windows System directory}{Random character}.exe

Small.DOG attempts to connect to one of the following websites to download an encrypted text file:

  • http://81.95.147.138/[...].txt
  • http://docslv.com/gallery/bridge/[...].txt
  • http://dreadwolf.net/[...].txt
  • http://dynafilmes.com.br/imagens/3/[...].txt
  • http://feldvossundpartner.de/images/[...].txt
  • http://jobundfit.de/images/[...].txt
  • http://leads4sales.co.uk/images/main/[...].txt
  • http://mkpicture.de/images/[...].txt
  • http://soloaguia.com/imagens/[...].txt
  • http://spbfp.atlant.ru/sys/[...].txt
  • http://spbfp.atlant.ru/sys/sys/[...].txt
  • http://trendbusiness-at-home.de/images/[...].txt

It then decrypts the downloaded text file to reveal the following download path:

  • apte-hamburg.de/Deutsch/Aktuell/{...}.exe

Small.DOG will then download and execute this file. The downloaded file is detected as Trojan-Spy:W32/BZub.BL

Registry

It installs the following registry entries as its autostart technique:

  • [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa] {Special Character}:=7<${Special Character}#72'6S = "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\OLE] {Special Character}:=7<${Special Character}#72'6S = "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] {Special Character}:=7<${Special Character}#72'6S = "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] {Special Character}:=7<${Special Character}#72'6S = "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY__MACHINE\SOFTWARE\Microsoft\Ole] {Special Character}:=7<${Special Character}#72'6S = "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] {Special Character}:=7<${Special Character}#72'6S = "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] {Special Character}:=7<${Special Character}#72'6S = "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] {Special Character}:=7<${Special Character}#72'6S = "C:\%WinDirSys%\%FileName% .exe"

Note: %WinDirSys% is by default C:\Windows\System32 and %FileName% represents the Copied filename plus the Random character.

Detection

F-Secure Anti-Virus detects this malware with the following updates:

Detection Type: PC

Database: 2006-08-23_01

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info