Home / malware TrojanDownloader:Win32/Small.gen!M
First posted on 19 September 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Small.gen!M is also known as Mal/Behav-160 (Sophos), TROJ_SCAR.ADI (Trend Micro), Trojan.Siggen3.2688 (Dr.Web), Trojan.Win32.Scar.bxtk (Kaspersky).
Explanation :
TrojanDownloader:Win32/Small.gen!M is a trojan that downloads and runs other malware, including Trojan:Win32/SystemHijack.gen!C, PWS:Win32/Zbot.gen!C and Trojan:Win32/Sisproc.
Installation
The trojan may be installed onto your computer by other malware. It may also be launched or run by other malware.
At the time of analysis, we are unable to confirm the precise nature of the installation of TrojanDownloader:Win32/Small.gen!M onto your computer.
Payload
Drops and installs other malware
When executed, TrojanDownloader:Win32/Small.gen!M drops and runs the following file:
%TEMP%\tianyan8.exe - detected as Trojan:Win32/SystemHijack.gen!C
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Temporary Files folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".
This dropped file then drops the following file to %windir%:
akserver.exe - detected as PWS:Win32/Zbot.gen!C
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".
After dropping the file, "tianyan8.exe" attempts to delete itself with a batch script file.
Downloads and installs other malware
TrojanDownloader:Win32/Small.gen!M downloads the file "s.exe" from "hxxp://dl.dls521.com" on port 521.
It then installs that file as "%TEMP%\mylitns8.exe", which is detected as Trojan:Win32/Sisproc.
Related encyclopedia entries
Trojan:Win32/SystemHijack.gen!C
PWS:Win32/Zbot.gen!C
Trojan:Win32/Sisproc
Analysis by Daniel Radu
Last update 19 September 2012
