Home > Threat descriptions >



Category: Malware

Type: Backdoor

Aliases: Backdoor:W32/Small.H, Virus.Win32.Small.h


A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.


Small.H duplicates file names and processes of legitimate Windows applications.Windows Task Manager does not show distinctive details:

In order to determine the Small.H processes from the Windows processes, an enhanced Task Manager is needed. Process Explorer, freeware from Sysinternals, is one such application.

Note: This is a Third Party application, the link below will direct you away from F-Secure's website.

  • 1. Download Process Explorer from Sysinternals website: https://www.sysinternals.com/Utilities/ProcessExplorer.html. The application is a standalone exe file and does not require installation.
  • 2. Run Process Explorer, in the process list find the following processes and end them by using the Kill option from the context menu (right-click):
    • csrss.exe
    • lsass.exe
    • winlogon.exe
    The screenshot below shows the targets highlighted in purple. Note the use of the folder icons unlike the legitimate Windows files. Do not end the Windows processes with the same names also seen in the screenshot.
  • 3. Remove the following files from the hard drive:
    • C:\[Documents and Settings]\[Current User]\winlogon.exe
    • C:\[Documents and Settings]\[Current User]\csrss.exe
    • C:\[Documents and Settings]\[Current User]\Local Settings\Temp\FolderData.exe
    • C:\RECYCLER\lsass.exe
    • C:\RECYCLER\msinfo\msinfo.exe
    [Documents and Settings] is by default C:\Documents and Settings\for Windows XP installations and C:\Users\ on 2K/Vista installation. [Current User] folder name is the same as the currently logged in user name.
  • 4. Download SmallH_RegCleaner.zip, then extract and merge "SmallH_RegCleaner.reg" into your registry by double-clicking on the file.
Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Small.H is a virus with an internal spamming engine and backdoor functionality. Please see the sections below for more details.Small.H, originally named lsass.exe, spreads itself using an internal spaming-engine that is controlled through a previously set-up backdoor.It fools the user into executing its exe file by using a Windows folder icon and file names such as:

  • Data.exe
  • Documents.exe
  • HotPictures.exe
  • HotXXX.exe
  • ImageGirls.exe
  • SexyBoy.exe
  • SexyGirls.exe
  • Songs.exe

Small.H creates several copies of itself:

  • C:\[Documents and Settings]\[Current User]\csrss.exe
  • C:\[Documents and Settings]\[Current User]\Local Settings\Temp\FolderData.exe
  • C:\[Documents and Settings]\[Current User]\winlogon.exe
  • C:\RECYCLER\lsass.exe
  • C:\RECYCLER\msinfo\msinfo.exe

It creates a number of autostart keys in the registry such as:

  • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Added value to "System" Added value to "Userinit"
  • [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] Added value to "load"
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] Added value to (Default)
  • Service key tree: o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsInfo]