Home / malwarePDF  

Small.DOG


First posted on 01 March 2007.
Source: SecurityHome

Aliases :

Small.DOG is also known as Troj/DwnLdr-FDR, Trojan-Downloader.Win32.Small.dog.

Explanation :

Small.DOG is a trojan that secretly downloads and runs other files from a remote website. It attempts to download another trojan and activate it on the infected system. It arrives on the system as an attachment to spammed German language e-mails with the filename Document.doc.exe.

criptionSmall.DOG is a trojan downloader that arrives on the system as an attachment to spammed German e-mail messages.
Below is an example of the spammed e-mail message:




It uses the filename Document.doc.exe and disguises itself as a normal Word document by using the Microsoft Word icon as its stealth mechanism.




Upon execution, Small.DOG creates a new instance of Svchost.exe using itself as the parameter.

It then drops the following file in the Windows System folder:

  • {Copied filename of any file found on the Windows System directory}{Random character}.exe
It installs the following registry entries as its autostart technique:
  • [HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa]
    {Special Character}:=7<${Special Character}#72'6S =
    "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftOLE]
    {Special Character}:=7<${Special Character}#72'6S =
    "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
    {Special Character}:=7<${Special Character}#72'6S =
    "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices]
    {Special Character}:=7<${Special Character}#72'6S =
    "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY__MACHINESOFTWAREMicrosoftOle]
    {Special Character}:=7<${Special Character}#72'6S =
    "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
    {Special Character}:=7<${Special Character}#72'6S =
    "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
    {Special Character}:=7<${Special Character}#72'6S =
    "C:\%WinDirSys%\%FileName%.exe"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
    {Special Character}:=7<${Special Character}#72'6S =
    "C:\%WinDirSys%\%FileName%.exe"
Note: %WinDirSys% is by default C:WindowsSystem32 and %FileName% represents the Copied filename plus the Random character.

Small.DOG attempts to connect to one of the following websites to download an encrypted text file:
  • http://81.95.147.138/[REMOVED].txt
  • http://docslv.com/gallery/bridge/[REMOVED].txt
  • http://dreadwolf.net/[REMOVED].txt
  • http://dynafilmes.com.br/imagens/3/[REMOVED].txt
  • http://feldvossundpartner.de/images/[REMOVED].txt
  • http://jobundfit.de/images/[REMOVED].txt
  • http://leads4sales.co.uk/images/main/[REMOVED].txt
  • http://mkpicture.de/images/[REMOVED].txt
  • http://soloaguia.com/imagens/[REMOVED].txt
  • http://spbfp.atlant.ru/sys/[REMOVED].txt
  • http://spbfp.atlant.ru/sys/sys/[REMOVED].txt
  • http://trendbusiness-at-home.de/images/[REMOVED].txt
It then decrypts the downloaded text file to reveal the following download path:
  • apte-hamburg.de/Deutsch/Aktuell/{BLOCKED}.exe
Small.DOG will then download and execute this file. The downloaded file is already detected as Trojan-Spy.Win32. BZup.bl

Last update 01 March 2007

 

TOP

Malware :

Family: