TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
TROJ_SMALL.EDW
Also known as: CME-711
Overview
Solution

Malware type: Trojan

Aliases: Email-Worm.Win32.Zhelatin.a (Kaspersky), Downloader-BAI.gen (McAfee), Trojan.Peacomm (Symantec), TR/Small.DBY.G (Avira), Troj/Dorf-Fam (Sophos), Trojan:Win32/Vxidl.gen!dam (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Infection Channel 1 : Spammed via email

Description: 

Barely three weeks into the new year, as the storm "Kyrill" ravaged over central Europe, another "storm" brewed. The new storm was a deluge of spam email messages that promised to bring information about Europe's most severe winter storm since 1999, with subject lines such as "230 dead as storm batters Europe", among others.

That is how this Trojan, arriving as attachment to the said email messages, came to be dubbed the "Storm" malware. But this Trojan is more than just a malware with a clever social engineering technique. Tagging WORM_NUWAR.CQ along, it created a partnership that staged a complex attack.

To read a comprehensive article about the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem, click here: TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

TROJ_SMALL.EDW Behavior Diagram

Malware Overview

This Trojan arrives as a file dropped by other malware like WORM_NUWAR.CQ and WORM_NUWAR.AAI. It may also arrive as a file downloaded unknowingly by a user when visiting malicious URLs. In addition, it may arrive as a downloaded copy by earlier variants.

It is also spammed via email using subject lines related to specific events. The image below is a sample of the said email message.

Sample email message

This Trojan downloads and executes other possibly malicious files from certain Web sites. Downloaded files are detected by Trend Micro as the following:

As a result, malicious routines of the downloaded files are also exhibited on the affected system.

Its component WINCOM32.SYS has rootkit capabilities, which enable this Trojan to hide its files and processes. The said routine allows this Trojan to avoid easy detection.

It connects to specific IP addresses. It does the said routine by opening various UDP ports. Depending on the sample, this worm sends UDP packets to the said IP addresses possibly to establish a peer connection to other infected hosts.

It is also possible that it sends UDP packets to other machines in its attempt to notify a malicious user of its infection, so that the compromised machine can be exploited later on.

Trend Micro already detects this Trojan using the latest virus pattern file. Other Internet users can use HouseCall, the Trend Micro online virus scanner, to check if their systems are affected by this threat. Please refer to the Solution page for the detailed manual removal instructions.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 19, 2007 12:59:25 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.