Virus

W32/Small.TD!tr

Analysis

This downloader Trojan attempts to use FTP.EXE to retrieve a binary from a hard-coded FTP server. The file was not available at the time of this writing.

FTP file download
The Trojan attempts to use FTP.EXE commonly found in Windows environments to retrieve binaries from the IP address 209.58.80.244. The Trojan first writes an FTP script to the undefinedWindowsundefined\Temp folder as "ABox.ftp", then initiates FTP.EXE with this script to download the files. The ftp script contains instructions to retrieve these three files -

ABox.exe
logon.exe
ABox.bup
The files are to be stored into the Windows folder. The files were unavailable at the time of this writing.

Miscellaneous
When the FTP client connects to the FTP server, the FTP dialogue has the following properties -

Connected to 209.58.80.244
220-Jgaa's Fan Club FTP service
WarFTPd 1.82.00-RC9 (Aug 21 2004) Ready
(C)opyright 1996 - 2004 by Jarle (jgaa) AAse - all rights reserved.

Recommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option