This application requires Javascript for optimal performance.

W32/Small.QW!tr - Released Feb 11, 2005 - Last Updated Mar 15, 2005

Alias/es

Adware.Searchbar-30 [Bit Defender], Adware.Searchbar-30 [ClamAV], TROJ_SMALL.QW [Trend], Trojan-Downloader.Win32.Small.qw [KAV], W32/Small.QW!tr

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • A compromised system may have ad pop-ups and additional adware installed due to the Trojan and its downloading routines

  • An effect from having adware installed is a slowness of the system

Detailed Analysis

W32/Small.QW-tr is a Trojan, when executed downloads additional files into the computer system.

Without the user knowing, this Trojan installs the DLMax application, which is detected as "BHO/DLMax." One of the files from this application is "Spike.exe" which sends information to http://example.com.

Then, this Trojan downloads another file "duad.exe" from abetterinternet.com. This file is moved and renamed to C:\WinNT\System32\mdazhmcj.exe, and detected as W32/Mdashmsg-tr. A registry entry is inserted to auto run this file at system startup

HKEY_LOCAL_MACHINE\System\Microsoft\Windows\CurrentVersion\Run
mdazhmcj = c:\winnt\system32\mdazhmcj.exe

Next, this Trojan downloads and installs Farmmext application, which is detected as "Download/Stubby.C"

In some cases, this Trojan downloads and installs Zserv application, which is detected as "W32/Agent.BP-bdr"

This Trojan is related to Adware/Betterinternet.

Recommended Action

  • FortiGate systems: check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


Reference: ID - 10997