Threat Description

Small.avu

Details

Category: Malware
Platform: W32
Aliases: Small.avu, Trojan-Downloader.Win32.Small.avu, W32/Small.avu, Backdoor.Win32.Dumador.bl, Backdoor.Win32.Dumadoor.bl

Summary


We got several reports about the 'Small.avu' trojan downloader on May 24th, 2005. According to those reports the trojan was spammed to a large number of people in e-mail messages. The trojan downloader is programmed to download and run a Dumador backdoor variant from a website.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The trojan downloader's file is a PE executable 1648 bytes long, packed with FSG file compressor.

According to the reports the trojan downloader was spammed with e-mail messages that looked like that:

Subject:

ISTE RUS CITIRLAR  

Body:

SELAM BEYLER!!!!  NATASHALAR SIZLERI BEKLIYOR::::..  HERZAMAN BIR RUSYALI NATASHA ILE SEX DOLU BIR GECE YASAMAYI HEPINIZ  DUSUNMUSSUNUZDUR.ISTE FIRSAT.BU GERCEKLESEBILIR,YUZLERCE RUS KIZI  TURKIYEYE GELMEK ICIN SIZLERI BEKLIYOR.7/24 SIZINLE VE EMRINIZDE.  MAILIMIZDE KIZLARIMIZIN RESIMLERINI GOREBILIRSINIZ.BEGENIN,SECIN.VE SIZIN OLSUN.  GERISI SIZE KALMIS:::.  

The trojan downloader's file was attached to these messages as 'ATTACH.RAR.EXE' file. When this file is run by a user, it attempts to download and run a variant of Dumador backdoor from the following website:

tr.distributed-hosting.com  

We have reported the abuse to the ISP that hosts that website.



Detection


The downloaded Dumador backdoor variant is detected as 'Backdoor.Win32.Dumador.bl' with the following F-Secure Anti-Virus update:

Detection Type: PC
Database: 2005-04-27_05

The trojan downloader is detected as 'W32/Small.avu' with the following F-Secure Anti-Virus update:

Detection Type: PC
Database: 2005-05-24_05



Description Details: Alexey Podrezov, May 24th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More