Trojan-Downloader:W32/Small.CZL is a trojan used to steal passwords from QQ Instant Messenger and also tries to download other components from the Internet. It may arrive on the system as a component of other malware or maybe downloaded from the Internet directly.Upon execution, it drops the following files:
- %SysDir%\ctfnom.exe - Main executable file of the malware
- %SysDir%\drivers\usbine.sys - Component file detected as Trojan-Downloader.Win32.Small.czl
This trojan checks for the installation of the Chinese Instant Messenger QQ in the system by searching for the following registry entry:
- [HKLM\SOFTWARE\TENCENT\PLATFORM_TYPE_LIST\1] TyePath
Note: TyePath contains the path where the QQ.exe file is located, usually %ProgramFiles%\Tencent\QQ.If the QQ Instant Messenger is installed, it will search for the following file from the QQ installation path:
When this file is found, this trojan will rename the original TIMPLATFORM.EXE to TIMPLATFROM.EXE. After that, it will create a copy of itself with the name TIMPLATFORM.EXE.It creates the following autostart registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] twin = "%SysDir%\ctfnom.exe"
It also sets the value of the following registry entry as part of its installation routine:
- [HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] load = 8
Trojan-Downloader:W32/Small.CZL also tries to delete the following file:
It also deletes the following registry key:
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]
In order to steal passwords from QQ Instant Messenger, this trojan monitors the window used by QQ.exe and logs keystrokes.This trojan may also download other components from the Internet.
F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC