Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Small.CVQ

Aliases:Email-Worm.Win32.Gibon.hi (Kaspersky), Backdoor.Exdis (Symantec), Backdoor:Win32/Syrutrk.A (Microsoft) 
Type of infiltration:Trojan  
Size:11776 B 
Affected platforms:Microsoft Windows 
Signature database version:2927 (20080306) 

Short description

The trojan serves as a proxy server.

Installation

When executed, the trojan creates the following files:
  • %system%wininet.exe (11776 B)
  • %system%svshost.dll (2560 B)
In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_CLASSES_ROOTCLSID{D7FFD784-5276-42D1-887B-00267870A4C7}
    InProcServer32]
    "(Default)" = "%system%svshost.dll"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    ShellServiceObjectDelayLoad]
    "SysRun" = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    MPRServiceswinsys]
    "DLLName" = "%system%svshost.dll"
    "EntryPoint" = "win1"
    "StackSize" = 16843009
The following Registry entry is set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyStandardProfile
    AuthorizedApplicationsList]
    "%system%wininet.exe" = "%system%wininet.exe:*:Enabled:Windows XP Update"
The performed command creates an exception in the Windows Firewall.

Information stealing

The following information is collected:
  • opened TCP port number
The trojan can send the information to a remote machine.

Other information

The trojan opens a random TCP port.

A proxy is listening there.

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs.

The HTTP protocol is used.