Subscribe0 0
This Trojan is a Windows PE EXE file 40448 bytes in size.
InstallationOnce launched, the Trojan creates the following files in the Windows system and root directories:
%System%\intell32.exe %System%\oleext.dll %System%\oleext32.dll %System%\wppp.html %Windir%\uninstIU.exe
It then registers itself in the system registry, ensuring that the Trojan file will be launched each times Windows is rebooted on the victim machine:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "intell32.exe" = "%System%\intell32.exe"
The Trojan also creates the following registry keys:
[HKCR\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update]
Payload
The Trojan will change the desktop configuration of the infected computer.
Trojan.Win32.Small.ev changes the following system registry key values in modify the background colour, wallpaper, and other desktop parameters.
[HKCU\Control Panel\Colors] "Background" = "0 0 0" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoActiveDesktopChanges" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] "NoDispAppearancePage" = "1" "NoDispBackgroundPage" = "1" [HKCU\Control Panel\Desktop] "WallpaperStyle" = "0" "Wallpaper" = "%SystemRoot%\%System%\wppp.html"
The Trojan causes the following wallpaper to be displayed:
It creates the following icon in the system tree:
When the mouse is passed over the icon shown above, the following message will be displayed:
Your computer is infected.
The Trojan will also cause the following message to be displayed at random intervals:
If the user double-clicks on the icon or a link created on the desktop, the Trojan will open the browser at http://www.psgu***.com/?aff=**&sub=0 and may download other files from this site.
Hot Articles