Win32/TrojanDownloader.Small.ONR [Threat Name] go to Threat

Win32/TrojanDownloader.Small.ONR [Threat Variant Name]

Category trojan
Size 22016 B
Detection created Mar 29, 2009
Detection database version 3973
Aliases Trojan.Win32.Agent2.gyq (Kaspersky)
  Downloader (Symantec)
  Generic.Downloader.x (McAfee)
Short description

The trojan tries to download several files from the Internet. The files are then executed.


When executed the trojan copies itself in the following locations:

  • %system%\­wbem\­grpconv.exe (22016 B)
  • %temp%\­%variable%.tmp (22016 B)

A string with variable content is used instead of %variable% .

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • svchost.exe

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "RunGrpConv" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SecurityProviders]
    • "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll"
Other information

The trojan tries to download and execute several files from the Internet.

The trojan contains a list of (1) URLs.

The HTTP protocol is used.

The trojan creates the following files:

  • %appdata%\­wiaserva.log

The following files are deleted:

  • %system%\­grpconv.exe
  • %system%\­dllcache\­grpconv.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.