Home / malware Backdoor:W32/Small.H
First posted on 16 July 2010.
Source: SecurityHomeAliases :
There are no other names known for Backdoor:W32/Small.H.
Explanation :
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Additional DetailsSmall.H is a virus with an internal spamming engine and backdoor functionality. Please see the sections below for more details.
Small.H, originally named lsass.exe, spreads itself using an internal spaming-engine that is controlled through a previously set-up backdoor.
It fools the user into executing its exe file by using a Windows folder icon and file names such as:
€ Data.exe € Documents.exe € HotPictures.exe € HotXXX.exe € ImageGirls.exe € SexyBoy.exe € SexyGirls.exe € Songs.exe
Small.H creates several copies of itself:
€ C:\[Documents and Settings]\[Current User]\csrss.exe € C:\[Documents and Settings]\[Current User]\Local Settings\Temp\FolderData.exe € C:\[Documents and Settings]\[Current User]\winlogon.exe € C:\RECYCLER\lsass.exe € C:\RECYCLER\msinfo\msinfo.exe
It creates a number of autostart keys in the registry such as:
€ [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Added value to "System"
Added value to "Userinit" € [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
Added value to "load" € [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
Added value to (Default) € Service key tree:
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsInfo]Last update 16 July 2010
