trojan downloader: Trojan-Downloader.Win32.Small.b

Risk level: Medium

virus Description

The sample is a “downloaders” which is  developed by the “VC” , size “32,811″ bytes, the icon is ““, use the “exe” extension, through the bundled documentation, web pages linked to horse, download tools to download, etc. and spread. The main purpose is to download the virus Trojan horse virus.
When the user’s computer is infected with this trojan virus, there will be no reason the system error, anti-virus software does not start automatically quit and found a large number of unknown processes, etc..

Infected OS

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

File bound, Page Trojan, download tools to download

Manual removal:

Manually delete files

1. Delete% Temp% \ setup.exe
2. Delete% Temp% \ set1.tmp.bat
3. Remove% Documents and Settings% \ current user \ Local Settings \ Temporary Internet Files \ Content.IE5 \ 0A01B6SV \ xxxeeeddd [1]. Exe

Manually delete the Registry

1. Delete
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ DownloadManager
Name:
Data: CacheOk

2. Delete
HKEY_CLASSES_ROOT \ CLSID \ (20D04FE0-3AEA-1069-A2D8-08002B30309D)

\ InProcServer32
Name: ThreadingModel
Data: Apartment

3. Delete
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellCompatibility

\ Objects \ (20D04FE0-3AEA-1069-A2D8-08002B30309D)

4. Delete
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ MountPoints2 \ (897ed10a-7e49-11df-bd9f-806d6172696f)
Name: BaseClass
Data: Drive

Variable declaration:

% SystemDriver% system where the partition, typically “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user documentation directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles”

Virus analysis:

1. The virus was the temporary directory, the directory with the command URLDownloadToFileA from the site to download setup.exe.
2. A way to hide the window, execute the file% Temp% \ setup.exe
3. To create surveillance process, the news hook the keyboard and mouse, monitor user information
4. Try to connect to the network: www .***. info, create a remote thread, from a distance file www .****. info / xxxeeeddd.exe read data to the local.
5. Create Temp% \ set1.tmp (random name), set up a batch file Temp% \ set1.tmp.bat (random name), to achieve self-delete
6. Open pipe \ \. \ Pipe \ wkssvc, \ \ pipe \ lsarpc,
7. By local IP: 127.0.0.1:1695
Connect Remote IP: 222 .189.238.246:80

The virus creates files:

% Temp% \ setup.exe
% Temp% \ set1.tmp.bat
% Documents and Settings% \ current user \ Local Settings \ Temporary Internet Files \ Content.IE5 \ 0A01B6SV \ xxxeeeddd [1]. Exe

Virus to create the registry:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ DownloadManager
Name:
Data: CacheOk

HKEY_CLASSES_ROOT \ CLSID \ (20D04FE0-3AEA-1069-A2D8-08002B30309D)

\ InProcServer32
Name: ThreadingModel
Data: Apartment

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \

ShellCompatibility \ Objects \ (20D04FE0-3AEA-1069-A2D8-08002B30309D)

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ MountPoints2 \ (897ed10a-7e49-11df-bd9f-806d6172696f)
Name: BaseClass
Data: Drive

Virus access to the network:

http://www .*****. info / xxxeeeddd.exe