Virus:Trojan.Win32.Small.ev
Other versions: .c , .eu , .nt
| Aliases |
| Detection added | Jul 19 2005 13:23 GMT |
| Update released | Jul 19 2005 14:31 GMT |
| Description added | Sep 09 2005 |
| Behavior | Trojan |
| Technical details |
This Trojan is a Windows PE EXE file 40448 bytes in size.
Installation
Once launched, the Trojan creates the following files in the Windows system and root directories:
%System%\intell32.exe%System%\oleext.dll
%System%\oleext32.dll
%System%\wppp.html
%Windir%\uninstIU.exe
It then registers itself in the system registry, ensuring that the Trojan file will be launched each times Windows is rebooted on the victim machine:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"intell32.exe" = "%System%\intell32.exe"
The Trojan also creates the following registry keys:
[HKCR\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}] [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update]Payload
The Trojan will change the desktop configuration of the infected computer.
Trojan.Win32.Small.ev changes the following system registry key values in modify the background colour, wallpaper, and other desktop parameters.
[HKCU\Control Panel\Colors]"Background" = "0 0 0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage" = "1
" "NoDispBackgroundPage" = "1"
[HKCU\Control Panel\Desktop]
"WallpaperStyle" = "0"
"Wallpaper" = "%SystemRoot%\%System%\wppp.html"
The Trojan causes the following wallpaper to be displayed:
It creates the following icon in the system tree:
When the mouse is passed over the icon shown above, the following message will be displayed:
Your computer is infected.The Trojan will also cause the following message to be displayed at random intervals:
If the user double-clicks on the icon or a link created on the desktop, the Trojan will open the browser at http://www.psgu***.com/?aff=**&sub=0 and may download other files from this site.