Trojan-Downloader:W32/Small.CZL

Trojan-Downloader:W32/Small.CZL is a trojan used to steal passwords from QQ Instant Messenger and also tries to download other components from the Internet. It may arrive on the system as a component of other malware or maybe downloaded from the Internet directly.Upon execution, it drops the following files:

• %SysDir%\ctfnom.exe - Main executable file of the malware
• %SysDir%\drivers\usbine.sys - Component file detected as Trojan-Downloader.Win32.Small.czl

This trojan checks for the installation of the Chinese Instant Messenger QQ in the system by searching for the following registry entry:

• [HKLM\SOFTWARE\TENCENT\PLATFORM_TYPE_LIST\1] TyePath

Note: TyePath contains the path where the QQ.exe file is located, usually %ProgramFiles%\Tencent\QQ.If the QQ Instant Messenger is installed, it will search for the following file from the QQ installation path:

• TIMPLATFORM.EXE

When this file is found, this trojan will rename the original TIMPLATFORM.EXE to TIMPLATFROM.EXE. After that, it will create a copy of itself with the name TIMPLATFORM.EXE.It creates the following autostart registry entry:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] twin = "%SysDir%\ctfnom.exe"

It also sets the value of the following registry entry as part of its installation routine:

• [HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] load = 8

Trojan-Downloader:W32/Small.CZL also tries to delete the following file:

• D:\autorun.inf.

It also deletes the following registry key:

• [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]

In order to steal passwords from QQ Instant Messenger, this trojan monitors the window used by QQ.exe and logs keystrokes.This trojan may also download other components from the Internet.

Detection

F-Secure Anti-Virus detects this malware with the following updates:

Detection Type: PC

Database: 2006-06-05_01