TROJ_SMALL.WIE
Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This malware is dropped by TROJ_SMALL.WZ on specific folders.
The malware performs the following specific routines if it detects that it is loaded by sysprep.EXE:
The malware sends DNS TXT queries to specific URLs to receive additional URL where it will connect to download additional files. The reply from the servers are RC4 encrypted messages.
As of this writing, the malware connects to specific Google sites to download additional component files. The said files are also encrypted with RC4 algorithm.
It decrypts and loads the downloaded files in memory.
TECHNICAL DETAILS
8,704 bytes
DLL
Yes
08 Feb 2011
Installation
This Trojan adds the following mutexes to ensure that only one of its copies runs at any one time:
- Global\sp_runned
NOTES:
This malware is dropped by TROJ_SMALL.WZ as ms{6 random characters}.DLL in %System%, %User Profile%\Application Data, %User Profile%\Appdata\Roaming\ms{random characters}.DLL depending on the operating system version and user priviledges. It is also dropped as %System%\sysprep\cryptbase.DLL in Vista, 2008, and in Windows 7.
The malware performs the following if it detects that it is loaded by sysprep.EXE:
- Copy itself to %System% as ms{random characters}.DLL
- It modifies the following registry entry to enable itself to execute every system startup:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders = {default values} {file name of the dropped DLL}
SecurityProviders = {default values} - It also creates Firewall rules to add rundll32.EXE as an authorized application. The rule created is named "Security Update".
- This malware then proceeds to execute itself using rundll32.EXE
The malware sends DNS TXT queries to the following URLs to receive additional URL where it will connect to download additional files. The reply from the servers are RC4 encrypted messages.
- {BLOCKED}t.domaincheker.name
- {BLOCKED}t-1.domaincheker.biz
- {BLOCKED}t-1-p.domaincheker.biz
- {BLOCKED}t-2.domaincheker.biz
- {BLOCKED}t-2-p.domaincheker.biz
- {BLOCKED}t-3.domaincheker.biz
- {BLOCKED}t-3-p.domaincheker.biz
As of this writing, the malware connects to the following Google sites to download additional component files. The said files are also encrypted with RC4 algorithm.
- sites.google.com/site/{BLOCKED}a88888/Home/d77.ttf?attredirects=0&d=1
- sites.google.com/site/{BLOCKED}a88888/Home/qwe.ttf?attredirects=0&d=1
It saves the encrypted files it downloads as the following.
- %User Temp%\0-6.tmp
- %User Temp%\2-6.tmp
It decrypts and loads the downloaded files in memory.
Investigation of the files reveal that these are components used as proxy servers and to gather system information. This malware can also be instructed by to download and install other malicious files.
SOLUTION
8.900
7.822.08
08 Feb 2011
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Remove the malware/grayware file that dropped/downloaded TROJ_SMALL.WIE
-
TROJ_SMALL.WZ
Step 3
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
- From: SecurityProviders = {default values} {file name of the dropped DLL}
To: SecurityProviders = {default values}
- From: SecurityProviders = {default values} {file name of the dropped DLL}
Step 4
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_SMALL.WIE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
Solution notes:
To delete the added Firewall Rules for OS Version 6 (Vista, 2008, 7):
- Open Windows Firewall. Click Start, type Windows Firewall with Advanced Security in the Search input field, and press Enter.
- In the left panel select Inbound Rules.
- Select the rule(s) named "System Update" in the Inbound Rules list then press Delete.
- Click yes on the confirmation box that appears.
- Close Windows Firewall with Advanced Security.
Did this description help? Tell us how we did.