Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Small.L

Aliases:Virus.Win32.Small.l (Kaspersky), W32.Madangel (Symantec), W32/Alisa.d (McAfee) 
Type of infiltration:Virus  
Size:5322 B 
Affected platforms:Microsoft Windows 
Signature database version:1941 (20061228) 

Short description

Win32/Small.L is a file infector. The virus tries to download and execute several files from the Internet.

Installation

When executed, the virus creates the following files:
  • %system%Serverx.exe (9418 B)
In order to be executed on every system start, the virus sets the following Registry entry:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "Serverx" = "%system%Serverx.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    LanmanServerParameters]
    "AutoShareWks" = 0
    "AutoShareServer" = 0

Executable file infection

The virus searches local and network drives for executable files.

The virus searches for executables with one of the following extensions:
  • .exe
  • .scr
Executables are infected by appending the code of the virus to the last section.

The host file is modified in a way that causes the virus to be executed prior to running the original code.

The size of the inserted code is 5322 B.

It avoids files which contain any of the following strings in their path:
  • winn
  • wind

Other information

The virus contains an URL address. It tries to download a file from the address. The HTTP protocol is used.

The file is stored in the following location:
  • c:setupx.dll
The file is then executed.

The virus launches the following processes:
  • %system%setupx.exe
  • %system%updatex.exe
The virus contains the following text:
  • Angry Angel v3.0
The virus may create and run a new thread with its own program code within any running process.