Threat behavior
Virus:Win32/Small.R is a virus that copies itself to the local computer and to removable drives.
Installation
Virus:Win32/Small.R can infect the local computer when a user connects an infected removable drive with Autorun (Autoplay) enabled. When run, it copies itself as the following:
%windir%\system\svchost.exe
The dropped copy is then run. The registry is modified to run the dropped copy at each Windows start.
Adds value: "Userinit"
With data: "userinit.exe,%windir%\system\svchost.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Spreads Via…
Removable Drives
Virus:Win32/Small.R copies itself to removable drives and creates the following files:
<drive:>\recycler\info.exe - copy of Virus:Win32/Small.R
<drive:>\recycler\desktop.ini
<drive:>\autorun.inf
The autorun configuration file named 'autorun.inf' points to the file '\recycler\info.exe'. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically. The autorun file is identified as Worm:Win32/Autorun!inf.
Analysis by Shawn Wang
Prevention