TrojanDownloader:Win32/Small.ZZJ

(?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Feb 18, 2011

Aliases

Trojan-Downloader.Win32.Small.bjts

Kaspersky

Trojan horse Downloader.Adload.PL (AVG)
Win32/TrojanDownloader.Fosniw.AL (ESET)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.99.1311.0
Released: Mar 16, 2011

Detection initially created:
Definition: 1.97.1233.0
Released: Feb 08, 2011

Summary

TrojanDownloader:Win32/Small.ZZJ is a 61952 bytes Win32 executable which, when run, contacts remote hosts in order to download and execute arbitrary files without the user's consent.

Top

Symptoms

System changes

The following system changes may indicate the presence of this malware:

The presence of the following registry modifications:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: "cwintool"

With data: "c:\documents and settings\administrator\application data\cwintool.exe"

In subkey: HKCU\Software\cwintool

Sets value "idt"

With data: "201101061309"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cwin

Sets value "DisplayName"

With data: "cwintool uninstall"

Top

Technical Information (Analysis)

TrojanDownloader:Win32/Small.ZZJ is a 61952 bytes Win32 executable which, when run, contacts remote hosts in order to download and execute arbitrary files without the user's consent.

Installation

TrojanDownloader:Win32/Small.ZZJ may be spammed to an affected user as an executable; in the wild, we have observed the trojan using the following name:

cwintool.exe

The name of the executable file may vary; it may be changed to entice a user to execute it by employing social engineering techniques.

On execution, the trojan creates a mutex "cwintool" to prevent multiple copies of the trojan process in memory.

TrojanDownloader:Win32/Small.ZZJ modifies the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: "cwintool"

With data: "c:\documents and settings\administrator\application data\cwintool.exe"

TrojanDownloader:Win32/Small.ZZJ modifies the following registry settings to allow the trojan to keep internal information:

In subkey: HKCU\Software\cwintool

Sets value "idt"

With data: "201101061309"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cwin

Sets value "DisplayName"

With data: "cwintool uninstall"

Payload

Downloads and executes arbitrary files

The trojan attempts to download and execute arbitrary files form the following domain:

"p.cwintool.com"

At the time of writing, there were no files available for download.

Contacts remote hosts

The trojan contacts the following domain to share information about the system it is executed on:

"app.cwintool.com"

Such information includes a MAC address, the version of the trojan, and several parameters representing execution stages of the trojan.

Analysis by Oleg Petrovsky

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.