Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Win32/Small.CVQ

Aliases:	Email-Worm.Win32.Gibon.hi (Kaspersky), Backdoor.Exdis (Symantec), Backdoor:Win32/Syrutrk.A (Microsoft)
Type of infiltration:	Trojan
Size:	11776 B
Affected platforms:	Microsoft Windows
Signature database version:	2927 (20080306)

Short description

The trojan serves as a proxy server.

Installation

When executed, the trojan creates the following files:

%system%wininet.exe (11776 B)
%system%svshost.dll (2560 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_CLASSES_ROOTCLSID{D7FFD784-5276-42D1-887B-00267870A4C7}
InProcServer32]
"(Default)" = "%system%svshost.dll"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
ShellServiceObjectDelayLoad]
"SysRun" = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
MPRServiceswinsys]
"DLLName" = "%system%svshost.dll"
"EntryPoint" = "win1"
"StackSize" = 16843009

The following Registry entry is set:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
SharedAccessParametersFirewallPolicyStandardProfile
AuthorizedApplicationsList]
"%system%wininet.exe" = "%system%wininet.exe:*:Enabled:Windows XP Update"

The performed command creates an exception in the Windows Firewall.

Information stealing

The following information is collected:

opened TCP port number

The trojan can send the information to a remote machine.

Other information

The trojan opens a random TCP port.

A proxy is listening there.

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs.

The HTTP protocol is used.