|
| |
|
Malware Description Search |
|
|
| | |
|
|
| |
Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs / Trojan Downloaders
Trojan-Downloader.Win32.Small.dam
Other versions: .cg, .cz, .hg, .jk, .jm, .s, .tnd, .tne, .tor, .tos, .ydh, .yk, .yt, .yx
| Detection added |
Jun 10 2006 08:23 GMT |
| Update released |
Jun 10 2006 09:52 GMT |
| Description added |
Jan 31 2007 |
| CME-ID |
CME-711 |
| Behavior |
TrojanDownloader |
This Trojan downloads other malicious programs from the Internet and launches
them on the victim machine. The program itself is a Windows PE EXE file. The
file size may vary significantly.
This Trojan was originally sent as spam.
Infected messages:
Message subject (chosen at random from the list below):
- A killer at 11, he's free at 21 and kill again!
- U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela
Merkel
- British Muslims Genocide
- Naked teens attack home director.
- 230 dead as storm batters Europe.
- Re: Your text
- Radical Muslim drinking enemies's blood.
- Chinese missile shot down Russian satellite
- Chinese missile shot down Russian aircraft
- Chinese missile shot down USA aircraft
- Chinese missile shot down USA satellite
- Russian missile shot down USA aircraft
- Russian missile shot down USA satellite
- Russian missile shot down Chinese aircraft
- Russian missile shot down Chinese satellite
- Saddam Hussein safe and sound!
- Saddam Hussein alive!
- Venezuelan leader: "Let's the War beginning".
- Fidel Castro dead.
Attachment name (chosen at random from the list below):
- FullVideo.exe
- Full Story.exe
- Video.exe
- Read More.exe
- FullClip.exe
- GreetingPostcard.exe
- MoreHere.exe
- FlashPostcard.exe
- GreetingCard.exe
- ClickHere.exe
- ReadMore.exe
- FlashPostcard.exe
- FullNews.exe
- Installation
Once launched, the Trojan creates the following files in the Windows system
directory:
- %System%\peers.ini
- %System%\wincom32.sys - this file is 41 728 bytes in size. It will be detected
by Kaspersky Anti-Virus as Rootkit.Win32.Agent.dh
The Trojan registers its files in the following system registry keys:,/p>
[HKLM\System\CurrentControlSet\Services\wincom32]
[HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCOM32]
The Trojan attempts to download other files from the Internet and launch them
on the victim machine.
A remote malicious user may place any malicious program on the links contained
in the body of the Trojan.
- Reboot the computer in Safe Mode (at the start of the boot sequence,
press and hold F8, then choose Safe Mode from the Windows boot menu).
- Delete the original Trojan file (the location will depend on
how the program originally penetrated the victim machine).
- Delete the following files from the Windows system directory:
%System%\peers.ini
%System%\wincom32.sys
- Delete the following registry keys:
[HKLM\System\CurrentControlSet\Services\wincom32]
[HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCOM32]
- Update your antivirus databases and perform a full scan of the
computer (download a trial version of Kaspersky Anti-Virus).
| | |
|
