Threat description




A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.


Small.H duplicates file names and processes of legitimate Windows applications.Windows Task Manager does not show distinctive details:

In order to determine the Small.H processes from the Windows processes, an enhanced Task Manager is needed. Process Explorer, freeware from Sysinternals, is one such application.

Note: This is a Third Party application, the link below will direct you away from F-Secure's website.

  • 1. Download Process Explorer from Sysinternals website: The application is a standalone exe file and does not require installation.
  • 2. Run Process Explorer, in the process list find the following processes and end them by using the Kill option from the context menu (right-click):
    • csrss.exe
    • lsass.exe
    • winlogon.exe
    The screenshot below shows the targets highlighted in purple. Note the use of the folder icons unlike the legitimate Windows files. Do not end the Windows processes with the same names also seen in the screenshot.
  • 3. Remove the following files from the hard drive:
    • C:\[Documents and Settings]\[Current User]\winlogon.exe
    • C:\[Documents and Settings]\[Current User]\csrss.exe
    • C:\[Documents and Settings]\[Current User]\Local Settings\Temp\FolderData.exe
    • C:\RECYCLER\lsass.exe
    • C:\RECYCLER\msinfo\msinfo.exe
    [Documents and Settings] is by default C:\Documents and Settings\for Windows XP installations and C:\Users\ on 2K/Vista installation. [Current User] folder name is the same as the currently logged in user name.
  • 4. Download, then extract and merge "SmallH_RegCleaner.reg" into your registry by double-clicking on the file.

Technical Details

Small.H is a virus with an internal spamming engine and backdoor functionality. Please see the sections below for more details.Small.H, originally named lsass.exe, spreads itself using an internal spaming-engine that is controlled through a previously set-up backdoor.It fools the user into executing its exe file by using a Windows folder icon and file names such as:

  • Data.exe
  • Documents.exe
  • HotPictures.exe
  • HotXXX.exe
  • ImageGirls.exe
  • SexyBoy.exe
  • SexyGirls.exe
  • Songs.exe

Small.H creates several copies of itself:

  • C:\[Documents and Settings]\[Current User]\csrss.exe
  • C:\[Documents and Settings]\[Current User]\Local Settings\Temp\FolderData.exe
  • C:\[Documents and Settings]\[Current User]\winlogon.exe
  • C:\RECYCLER\lsass.exe
  • C:\RECYCLER\msinfo\msinfo.exe

It creates a number of autostart keys in the registry such as:

  • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Added value to "System" Added value to "Userinit"
  • [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] Added value to "load"
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] Added value to (Default)
  • Service key tree: o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsInfo]

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info