TROJ_SMALL.EDW

Malware type: Trojan

Aliases: Email-Worm.Win32.Zhelatin.a (Kaspersky), Downloader-BAI.gen (McAfee), Trojan.Peacomm (Symantec), TR/Small.DBY.G (Avira), Troj/Dorf-Fam (Sophos), Trojan:Win32/Vxidl.gen!dam (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Spammed via email


Description: 

Barely three weeks into the new year, as the storm "Kyrill" ravaged over central Europe, another "storm" brewed. The new storm was a deluge of spam email messages that promised to bring information about Europe's most severe winter storm since 1999, with subject lines such as "230 dead as storm batters Europe", among others.

That is how this Trojan, arriving as attachment to the said email messages, came to be dubbed the "Storm" malware. But this Trojan is more than just a malware with a clever social engineering technique. Tagging WORM_NUWAR.CQ along, it created a partnership that staged a complex attack.

To read a comprehensive article about the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem, click here: TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

TROJ_SMALL.EDW Behavior Diagram

Malware Overview

This Trojan arrives as a file dropped by other malware like WORM_NUWAR.CQ and WORM_NUWAR.AAI. It may also arrive as a file downloaded unknowingly by a user when visiting malicious URLs. In addition, it may arrive as a downloaded copy by earlier variants.

It is also spammed via email using subject lines related to specific events. The image below is a sample of the said email message.

Sample email message

This Trojan downloads and executes other possibly malicious files from certain Web sites. Downloaded files are detected by Trend Micro as the following:

As a result, malicious routines of the downloaded files are also exhibited on the affected system.

Its component WINCOM32.SYS has rootkit capabilities, which enable this Trojan to hide its files and processes. The said routine allows this Trojan to avoid easy detection.

It connects to specific IP addresses. It does the said routine by opening various UDP ports. Depending on the sample, this worm sends UDP packets to the said IP addresses possibly to establish a peer connection to other infected hosts.

It is also possible that it sends UDP packets to other machines in its attempt to notify a malicious user of its infection, so that the compromised machine can be exploited later on.

Trend Micro already detects this Trojan using the latest virus pattern file. Other Internet users can use HouseCall, the Trend Micro online virus scanner, to check if their systems are affected by this threat. Please refer to the Solution page for the detailed manual removal instructions.

For additional information about this threat, see:

Description created: Jan. 19, 2007 12:59:25 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 29,347 Bytes (compressed)

Ports used: Various UDP ports

Initial samples received on: Jan 17, 2007

Related toWORM_NUWAR.CQ, WORM_NUWAR.AAI

Payload 1: Downloads files

Details:

Arrival and Autostart Technique

This Trojan arrives as a file dropped by other malware like WORM_NUWAR.CQ and WORM_NUWAR.AAI. It may also arrive as a file downloaded unknowingly by a user when visiting malicious URLs. In addition, it may arrive as a downloaded copy by earlier variants.

It is also currently spammed via email using subject lines related to specific events. The spammed email message has the following details:

Subject: (any of the following)
• 230 dead as storm batters Europe.
• A killer at 11, he's free at 21 and kill again!
• British Muslims Genocide
• Chinese missile shot down Russian satellite
• President of Russia Putin dead.
• Radical Muslim drinking enemies'; blood.
• Russian missle shot down Chinese aircraft
• Russian missle shot down USA satellite
• Sadam Hussein safe and sound
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel

Attachment: (any of the following)
• Full Clip.exe
• Full Story.exe
• Full Video.exe
• Read More.exe
• Video.exe

The image below is a sample of the said spammed mail:

Sample email message

Upon execution, this Trojan drops the following files in the Windows system folder:

  • WINCOM32.SYS - also detected as TROJ_SMALL.EDW
  • PEERS.INI - non-malicious file
  • WINCOM32.INI - non-malicious file

The non-malicious files contain a list of IP addresses and port numbers of remote machines that it connects to, as discussed below.

It then registers itself as a service to ensure automatic execution at every system startup. It does the said routine by creating the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wincom32

The file WINCOM32.SYS has rootkit capabilities, which enable this Trojan to hide its files and processes. The said routine allows this Trojan to avoid easy detection.

Download Routine

This Trojan connects to the following URLs to download and execute malicious files:

  • http://205.209.{BLOCKED}.112/cp/rule.php
  • http://209.123.{BLOCKED}.198/cp/rule.php
  • http://217.107.{BLOCKED}.187/cp/rule.php
  • http://217.107.{BLOCKED}.187/game0.exe
  • http://217.107.{BLOCKED}.187/sp/post.php
  • http://69.50.{BLOCKED}.234/cp/rule.php
  • http://81.177.{BLOCKED}.169/dir/game{number}.exe
  • http://81.177.{BLOCKED}.27/cp/rule.php

The downloaded files are detected by Trend Micro as:

The downloaded Trojans are usually responsible for acting as a Simple Mail Transfer Protocol relay agent, a downloader or rootkit, or a component for gathering email addresses and downloading updated copies of the worm.

Other Details

In addition, this worm opens various UDP ports to connect to the following IP addresses:

  • 142.161.{BLOCKED}.227 - Port 12951
  • 154.37.{BLOCKED}.117 - Port 7871
  • 154.37.{BLOCKED}.141 - Port 7871
  • 154.37.{BLOCKED}.209 - Port 7871
  • 154.37.{BLOCKED}.210 - Port 7871
  • 161.53.{BLOCKED}.5 - Port 6015
  • 172.186.{BLOCKED}.114 - Port 8821
  • 172.204.{BLOCKED}.238 - Port 5387
  • 192.192.{BLOCKED}.171 - Port 11831
  • 193.239.{BLOCKED}.171 - Port 17967
  • 193.239.{BLOCKED}.57 - Port 15116
  • 193.42.{BLOCKED}.167 - Port 14236
  • 193.42.{BLOCKED}.236 - Port 13884
  • 193.6.{BLOCKED}.212 - Port 6052
  • 195.111.{BLOCKED}.70 - Port 16636
  • 195.220.{BLOCKED}.98 - Port 4197
  • 200.120.{BLOCKED}.32 - Port 11572
  • 206.116.{BLOCKED}.76 - Port 3523
  • 207.44.{BLOCKED}.55 - Port 4912
  • 213.100.{BLOCKED}.210 - Port 2581
  • 213.17.{BLOCKED}.66 - Port 17668
  • 213.231.{BLOCKED}.75 - Port 5707
  • 213.26.{BLOCKED}.150 - Port 6773
  • 213.60.{BLOCKED}.99 - Port 7011
  • 216.151.{BLOCKED}.52 - Port 7871
  • 217.20.{BLOCKED}.250 - Port 7762
  • 218.39.{BLOCKED}.91 - Port 9865
  • 219.131.{BLOCKED}.130 - Port 17556
  • 219.90.{BLOCKED}.123 - Port 9005
  • 220.132.{BLOCKED}.110 - Port 11328
  • 59.12.{BLOCKED}.243 - Port 12596
  • 59.187.{BLOCKED}.104 - Port 3122
  • 60.190.{BLOCKED}.86 - Port 14577
  • 62.112.{BLOCKED}.44 - Port 14662
  • 62.121.{BLOCKED}.124 - Port 4673
  • 62.178.{BLOCKED}.201 - Port 16129
  • 62.219.{BLOCKED}.130 - Port 2008
  • 66.186.{BLOCKED}.22 - Port 7871
  • 70.83.{BLOCKED}.117 - Port 5469
  • 72.36.{BLOCKED}.114 - Port 12893
  • 80.109.{BLOCKED}.250 - Port 15140
  • 80.35.{BLOCKED}.52 - Port 10674
  • 81.10.{BLOCKED}.33 - Port 9994
  • 81.220.{BLOCKED}.168 - Port 9150
  • 82.146.{BLOCKED}.39 - Port 18295
  • 82.158.{BLOCKED}.117 - Port 10909
  • 82.182.{BLOCKED}.70 - Port 4091
  • 82.207.{BLOCKED}.146 - Port 5885
  • 82.23.{BLOCKED}.85 - Port 4451
  • 82.236.{BLOCKED}.244 - Port 12921
  • 82.237.{BLOCKED}.252 - Port 11922
  • 82.238.{BLOCKED}.213 - Port 7682
  • 82.55.{BLOCKED}.142 - Port 7255
  • 82.7.{BLOCKED}.85 - Port 11119
  • 83.14.{BLOCKED}.243 - Port 18559
  • 83.16.{BLOCKED}.114 - Port 8883
  • 83.254.{BLOCKED}.237 - Port 10619
  • 83.38.{BLOCKED}.62 - Port 12091
  • 84.122.{BLOCKED}.92 - Port 4064
  • 84.131.{BLOCKED}.214 - Port 21140
  • 84.16.{BLOCKED}.162 - Port 14611
  • 84.16.{BLOCKED}.77 - Port 12021
  • 84.16.{BLOCKED}.133 - Port 19023
  • 84.163.{BLOCKED}.99 - Port 5373
  • 84.63.{BLOCKED}.178 - Port 6002
  • 84.74.{BLOCKED}.161 - Port 21772
  • 85.10.{BLOCKED}.170 - Port 17003
  • 85.118.{BLOCKED}.13 - Port 3960
  • 85.118.{BLOCKED}.234 - Port 5642
  • 85.17.{BLOCKED}.106 - Port 2850
  • 88.191.{BLOCKED}.181 - Port 15840
  • 88.191.{BLOCKED}.23 - Port 17161
  • 88.191.{BLOCKED}.157 - Port 16738
  • 90.12.{BLOCKED}.77 - Port 6121

Depending on the sample, this worm sends UDP packets to the said IP addresses possibly to establish a peer connection to other infected hosts.

It has been assumed that this entire NUWAR-strings-of-infection involves the creation of a botnet through peer-to-peer (P2P) network, such that all compromised machines can act both as a control server and a client at the same time, giving flexibility to the whole botnet structure.

However, as of this writing, none of the current samples demonstrate a capability to execute a �botmaster�s� commands. Thus, it is also possible that it sends UDP packets to other machines in its attempt to notify a malicious user of its infection, so that the compromised machine can be exploited later on.

Affected Platforms

This worm comes with its own compression. It affects systems running on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Aleandro Sy

Revision History:

First pattern file version: 4.194.01
First pattern file release date: Jan 18, 2007
 
Jan 21, 2007 - Modified Malware Report
Jan 25, 2007 - Complete Malware Report

SOLUTION


Minimum scan engine version needed: 8.000

Pattern file needed: 5.541.00

Pattern release date: Sep 14, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

To prevent this malware from spreading, we have provided product specific solution procedures that counter the malware's arrival, download, and system modification routine. The steps outlined in the solutions allow you to block malicious email attachments, block malicious URLs, and prevent the malware from writing to folders. Together, these solutions provide comprehensive, layered protection against this threat.

Please refer to the Trend Micro Knowledge Base for the detailed solution procedures:

For other concerns or inquiries, please contact Trend Micro Technical Support. Premium Support Program (PSP) clients can contact their Technical Account Manager (TAM) directly.

Note: To fully remove all associated malware, perform the clean solutions for the following:

Running Trend Micro Rootkit Buster

To remove the rootkits and ensure a successful cleanup, use the Trend Micro Rootkit Buster and follow the following instructions:

  1. Download, extract, and execute the tool using archive utilities like Winzip to any folder in your computer.
  2. In the Rootkit Buster console, click the Scan button. After the scan, the consol will display rootkit files hidden in your computer. Highlight all files and registry entries that contains the following strings by pressing SHIFT and clicking all entries with the following strings:

    • PEERS.INI
    • WINCOM32
    • WINCOM32.INI
    • WINCOM32.SYS

    Highlight related files
    Highlight related registry keys and entries
  3. Click Delete Selected Items. The Rootkit Buster will display the following message box:

    Click Yes to restart

  4. Click Yes to restart your computer.

Note: On some instances, the rootkit capability of this malware does not work, thus, performing the Running Trend Micro Rootkit Buster may not be applicable. If there will be no enumerated files and registry entries, proceed with the solution below.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Key from the Registry

Removing autostart keys from the registry prevents the malware from executing at startup.

If the registry key below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services
  3. Still in the left panel, locate and delete the key:
    wincom32
  4. Close Registry Editor.

Deleting the Malware File

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    • PEERS.INI
    • WINCOM32.INI
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the file then press SHIFT%20DELETE.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_SMALL.EDW. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.