| Malware name | Trojan.Dldr.Small.euo | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 302B4DCF260769EB1DFE3721A030AB6E | | Static file | yes | | Filesize | 41,476 Bytes | Alias names
(also known as) | | Webwasher Proactive | Win32.Malware.gen | | Sophos | Troj/Dwnldr-HHB | | CA ETrust | Win32/SillyDl.FEV |
| | Protection | | Webwasher Proactive | Database Version: 96 |
| | Side effects | - Downloads malicious files
- Registry modification
| | Propagation | No own spreading routine |
|
Description:
Files
It tries to download some files:
– The location is the following:
• http://any-pictures.com/**********/item_fdfgi.gif
It is saved on the local hard drive under: %TEMPDIR%\1.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Drop.Agent.eae
– The location is the following:
• http://bigimagecatalogue.com/**********/hrtzqczuuff.gif
It is saved on the local hard drive under: %TEMPDIR%\2.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Dldr.Agent.ryn
Registry
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "Somefox"="
%malware execution directory%\
%executed file%"
The following registry keys are added:
– [HKLM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
• "TrapPollTimeMilliSecs"=dword:
%hex number%– [HKLM\SOFTWARE\Mozilla\Somefox]
• "Str4265778"="mg=="
• "Str4"=""
• "Str1"="
%random character string%"
• "Str0"="
%random character string%"
• "Int2"=dword:
%hex number% • "Int3"=dword:
%hex number% File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• PECompact
