Symptoms
Presence of the following files:
- %windir%\System32\temp1.exe
- %windir%\System32\temp2.exe
- %windir%\autorun.inf
- %windir%\xcopy.exe
- %windir%\svchost.exe
Presence of the following value:
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load = "%windir%\svchost.exe"
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Popescu Adrian , virus researcher
Technical Description:
Trojan.Dropper.Small.APL is dropped by another malware in "%windir%\svchost.exe"
It drops two files:
- %windir%\System32\temp1.exe -> detected by BitDefender with Trojan.Perlovga.B
- %windir%\System32\temp2.exe -> detected by BitDefender with BackDoor.Small.L
Temp1.exe does the following :
- copies %windir%\svchost.exe into [SharedFolder]\host.exe
- copies %windir%\xcopy.exe into [SharedFolder]\copy.exe
- copies %windir%\autorun.inf into [SharedFolder]\autorun.inf
- modify key: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\, value: load with "%windir%\svchost.exe"
Temp2.exe does the following
- connect to the address: "hnmy.[Removed].org" and waiting for intructions, providing remote control(thus the name BackDoor.Small.LO)
SHARE
THIS ON