Other versions: .eo, .fp, .os, .v, .x
Backdoor.win32.Small.cz (Kaspersky Lab)
is also known as:
Backdoor.Win32.Small.cz (Kaspersky Lab),
Backdoor.Trojan (Symantec), Backdoor:Win32/Small.CZ (RAV), BKDR_SMALL.P (Trend Micro), BDS/Small.CZ (H+BEDV), BackDoor.Small.3.AH (Grisoft), Trojan.Small-34 (ClamAV), Trj/Small.DL (Panda), Win32/Small.CZ (Eset)
| Detection added |
Jan 01 2005 |
| Description added |
Nov 25 2005 |
| Behavior |
Backdoor |
| Platform |
Win32 |
This Trojan makes it possible for a remote malicious user to control the victim
machine. The program is a Windows PE EXE file 2560 bytes in size.
Once launched, the backdoor creates a file named troyan.exe in the Windows
root directory. This file is 3072 bytes in size.
%WinDir%\\troyan.exe
It then registers this file in the system registry, ensuring that the program
will be launched each time Windows is rebooted on the victim machine:
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
"avast"="%WinDir%\\troyan.exe"
This file is an IRC backdoor program.
The backdoor connects to amsterdam2.******.org via port 6667. It will then
process commands received from the remote malicious user via IRC.
The remote malicious user can check the connection with the bot using PING.
It is also possible for the remote malicious user to download any number of
files. Each new file will overwrite the previous file. Each downloaded file
will be saved as "z31.exe" in the directory where the backdoor file is located.
Once the download is complete, the file will be launched in hidden mode.
Delete the "troyan.exe" process from memory.
Delete the backdoor's installation key from the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"avast"="%WinDir%\troyan.exe"
Delete the following files:
%WinDir%\troyan.exe
%WinDir%\z31.exe
Reboot the computer.
Perform a full scan of the computer.
