Home / malwarePDF  

Virus:Win32/Small.R


First posted on 24 April 2009.
Source: SecurityHome

Aliases :

Virus:Win32/Small.R is also known as Also Known As:BackDoor.Generic7.MRW (AVG), Trojan.Autorun.PD (BitDefender), Win32/Enfomend.A (CA), Win32/Small.R (ESET), Virus.Win32.Small.r (Kaspersky), Generic BackDoor.j (McAfee), W32/Smalldoor.AOLQ (Norman), Trj/Agent.FQZ (Panda), W32/SillyFDC-H (Sophos), W32.SillyDC (Symantec), WORM_SMALL.HYN (Trend Micro).

Explanation :

Virus:Win32/Small.R is a virus that copies itself to the local computer and to removable drives.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %windir%systemsvchost.exe
    <removable drive:>
    ecyclerinfo.exe
    • <removable drive:>autorun.inf
  • The presence of the following registry modifications:
    Value: "Userinit"
    • With data: "userinit.exe,%windir%systemsvchost.exe"In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon

    Virus:Win32/Small.R is a virus that copies itself to the local computer and to removable drives.

    Installation
    Virus:Win32/Small.R can infect the local computer when a user connects an infected removable drive with Autorun (Autoplay) enabled. When run, it copies itself as the following: %windir%systemsvchost.exe The dropped copy is then run. The registry is modified to run the dropped copy at each Windows start. Adds value: "Userinit"With data: "userinit.exe,%windir%systemsvchost.exe"To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonSpreads Via…Removable DrivesVirus:Win32/Small.R copies itself to removable drives and creates the following files: <drive:>
    ecyclerinfo.exe - copy of Virus:Win32/Small.R<drive:>
    ecyclerdesktop.ini<drive:>autorun.inf The autorun configuration file named 'autorun.inf' points to the file '
    ecyclerinfo.exe'. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically. The autorun file is identified as Worm:Win32/Autorun!inf.

    Analysis by Shawn Wang

    Last update 24 April 2009

     

    TOP

    Malware :

    Family: