Threat behavior
TrojanDownloader:Win32/Small is family of Trojans that download unwanted software from a remote Web site. The content could include anything from additional downloader Trojans to imitation security programs.
When TrojanDownloader:Win32/Small!AA7A runs, it does the following:
- Drops file "wupmncva.exe" under directory %windir%
- Modifies the registry to load this copy of itself when Windows is started:
Set "wupmncvA" = "%windir%\wupmncva.exe", under key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
%windir%\wupmncva.exe does the following:
- Drops the following files to the %windir% folder:
"jptc.dat"
"wupmncv.exe"
"offun.exe"
"srvwrmhkyw.exe"
"srvgocxgaa.exe"
- Modifies the following registry entry:
Set "DisplayName" = "windows overlay components", under key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
- Launches the file %windir%\wupmncv.exe, by running "C:\WINDOWS\wupmncv.exe" -i
- Launches the file %windir%\wupmncva.exe, by running "C:\WINDOWS\wupmncvA.exe"
- Launches the file %windir%\srvwrmhkyw.exe, by running "C:\WINDOWS\srvwrmhkyw.exe"
- Launches the file %windir%\srvgocxgaa.exe, by running "C:\WINDOWS\srvgocxgaa.exe"
%windir%\wupmncva.exe may do the following:
- Drops file "jptc.dat" under directory %windir%
- Modifies the following registry entry:
Set "ProxyBypass" = "1", under key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
- Opens and listens on UDP port 0
%windir%\srvwrmhkyw.exe may do the following:
- Drops file "nst2.tmp" under directory c:\docume~1\admini~1\locals~1\temp
- Drops file "nodeipproc.dll" under directory <system folder>
- Drops file "uninsticn.exe" under directory <system folder>
- Modifies the following registry entry:
Set "DisplayName" = "icons", under key
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator
Set "Vendor" = "smoke", under key
- HKEY_LOCAL_MACHINE\Software\NodeIpProc
%windir%\srvgocxgaa.exe may do the following:
- Drops file "pshope.exe" under directory c:\program files\pshope
- Drops file "uninstall.exe" under directory c:\program files\pshope
- Modifies the following registry entry:
Set "PSHope" = ""c:\program files\pshope\pshope.exe"", under key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Set "aid" = "13", under key
HKEY_CURRENT_USER\Software\PSHope
- Launches the file c:\program files\pshope\pshope.exe, by running "C:\Program Files\PSHope\PSHope.exe"
- c:\program files\pshope\pshope.exe may do the following:
Modifies the following registry entry:
Set "Version" = "2", under key HKEY_CURRENT_USER\Software\PSHope
TrojanDownloader:Win32/Small!AA7A may also modify the registry as follows:
Set "(default)" = "oddbot", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker.1
Set "(default)" = "{2b896072-f6e3-4ff7-ade6-43d5bec6557c}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker.1\CLSID
Set "(default)" = "oddbot", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker
Set "(default)" = "{2b896072-f6e3-4ff7-ade6-43d5bec6557c}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker\CLSID
Set "(default)" = "oddbot.adclicker.1", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker\CurVer
Set "(default)" = "oddbot", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}
Set "(default)" = "oddbot.adclicker.1", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}\ProgID
Set "(default)" = "oddbot.adclicker", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}\VersionIndependentProgID
Set "(default)" = "<system folder>\nodeipproc.dll", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}\InprocServer32
Set "(default)" = "{c845ac9a-70a6-491c-9106-d34a360e1f58}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}\TypeLib
Set "NoExplorer" = """", under key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}
Set "(default)" = "oddbot 1.0 type library", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C845AC9A-70A6-491C-9106-D34A360E1F58}\1.0
Set "(default)" = "0", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C845AC9A-70A6-491C-9106-D34A360E1F58}\1.0\FLAGS
Set "(default)" = "<system folder>\nodeipproc.dll", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C845AC9A-70A6-491C-9106-D34A360E1F58}\1.0\0\win32
Set "(default)" = "<system folder>\", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C845AC9A-70A6-491C-9106-D34A360E1F58}\1.0\HELPDIR
Set "(default)" = "iadclicker", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{251DF512-6FAF-4AAF-BF19-D99B5F1C9250}
Set "(default)" = "{00020424-0000-0000-c000-000000000046}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{251DF512-6FAF-4AAF-BF19-D99B5F1C9250}\ProxyStubClsid
Set "(default)" = "{00020424-0000-0000-c000-000000000046}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{251DF512-6FAF-4AAF-BF19-D99B5F1C9250}\ProxyStubClsid32
Set "(default)" = "{c845ac9a-70a6-491c-9106-d34a360e1f58}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{251DF512-6FAF-4AAF-BF19-D99B5F1C9250}\TypeLib
Prevention
Take the following steps to help prevent infection on your system:
-
Enable a firewall on your computer.
-
Get the latest computer updates.
-
Use up-to-date antivirus software.
-
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
-
Click Start, and click Control Panel.
-
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
-
Click Change Windows Firewall Settings.
-
Select On.
-
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
-
Click Start, and click Control Panel.
-
Click System.
-
Click Automatic Updates.
-
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.