W32/Small.QW!tr

Alias/esAdware.Searchbar-30 [Bit Defender], Adware.Searchbar-30 [ClamAV], TROJ_SMALL.QW [Trend], Trojan-Downloader.Win32.Small.qw [KAV], W32/Small.QW!tr
Release DateFeb 11, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

  • A compromised system may have ad pop-ups and additional adware installed due to the Trojan and its downloading routines

  • An effect from having adware installed is a slowness of the system

Detailed Analysis

W32/Small.QW-tr is a Trojan, when executed downloads additional files into the computer system.

Without the user knowing, this Trojan installs the DLMax application, which is detected as "BHO/DLMax." One of the files from this application is "Spike.exe" which sends information to http://example.com.

Then, this Trojan downloads another file "duad.exe" from abetterinternet.com. This file is moved and renamed to C:\WinNT\System32\mdazhmcj.exe, and detected as W32/Mdashmsg-tr. A registry entry is inserted to auto run this file at system startup

HKEY_LOCAL_MACHINE\System\Microsoft\Windows\CurrentVersion\Run
mdazhmcj = c:\winnt\system32\mdazhmcj.exe

Next, this Trojan downloads and installs Farmmext application, which is detected as "Download/Stubby.C"

In some cases, this Trojan downloads and installs Zserv application, which is detected as "W32/Agent.BP-bdr"

This Trojan is related to Adware/Betterinternet.

Description Last Updated Date: Mar 15, 2005
Reference: ID - 10997