Trojan-Downloader:W32/Small.CZL is a trojan used to steal passwords from QQ Instant Messenger and also tries to download other components from the Internet. It may arrive on the system as a component of other malware or maybe downloaded from the Internet directly.

Upon execution, it drops the following files:

• %SysDir%ctfnom.exe - Main executable file of the malware
• %SysDir%driversusbine.sys - Component file detected as Trojan-Downloader.Win32.Small.czl

This trojan checks for the installation of the Chinese Instant Messenger QQ in the system by searching for the following registry entry:

• [HKLMSOFTWARETENCENTPLATFORM_TYPE_LIST1]
  TyePath

Note: TyePath contains the path where the QQ.exe file is located, usually %ProgramFiles%TencentQQ.

If the QQ Instant Messenger is installed, it will search for the following file from the QQ installation path:

• TIMPLATFORM.EXE

When this file is found, this trojan will rename the original TIMPLATFORM.EXE to TIMPLATFROM.EXE. After that, it will create a copy of itself with the name TIMPLATFORM.EXE.

It creates the following autostart registry entry:

• [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
  twin = "%SysDir%ctfnom.exe"

It also sets the value of the following registry entry as part of its installation routine:

• [HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWindows]
  load = 8

Trojan-Downloader:W32/Small.CZL also tries to delete the following file:

• D:autorun.inf.

It also deletes the following registry key:

• [HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs]

In order to steal passwords from QQ Instant Messenger, this trojan monitors the window used by QQ.exe and logs keystrokes.

This trojan may also download other components from the Internet.

Last update 15 June 2007

 

TOP