TROJ_SMALL.JTM
Trojan Horse (Symantec), Generic.dx (McAfee), Trojan.Win32.Small.bpu (Kaspersky)
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.
It opens a hidden Internet Explorer window.
TECHNICAL DETAILS
59,904 bytes
PE
Yes
02 Aug 2008
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %System%\Spooler.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following component file(s):
- %Windows%\qqssdll.dll
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Print Spooler = "%System%\Spooler.exe"
Download Routine
This Trojan connects to the following malicious URLs:
- http://{BLOCKED}g.{BLOCKED}t.com/WB/yguang/tj.html
- http://{BLOCKED}g.{BLOCKED}t.com/WB/yguang/msg2.txt
As of this writing, the said sites are inaccessible.
Other Details
This Trojan opens a hidden Internet Explorer window.