Win32/Small.CVQ [Threat Name] go to Threat

Win32/Small.CVQ [Threat Variant Name]

Category trojan
Size 11776 B
Aliases Email-Worm.Win32.Gibon.hi (Kaspersky)
  Backdoor.Exdis (Symantec)
  Backdoor:Win32/Syrutrk.A (Microsoft)
Short description

The trojan serves as a proxy server.


When executed, the trojan creates the following files:

  • %system%\­wininet.exe (11776 B)
  • %system%\­svshost.dll (2560 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CLASSES_ROOT\­CLSID\­{D7FFD784-5276-42D1-887B-00267870A4C7}\­InProcServer32]
    • "(Default)" = "%system%\­svshost.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­ShellServiceObjectDelayLoad]
    • "SysRun" = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­MPRServices\­winsys]
    • "DLLName" = "%system%\­svshost.dll"
    • "EntryPoint" = "win1"
    • "StackSize" = 16843009

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%system%\­wininet.exe" = "%system%\­wininet.exe:*:Enabled:Windows XP Update"

The performed command creates an exception in the Windows Firewall.

Information stealing

The following information is collected:

  • opened TCP port number

The trojan can send the information to a remote machine.

Other information

The trojan opens a random TCP port.

A proxy is listening there.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs.

The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.