Help."TrojanNotifier.Win32.small.a" found on my PC

I found:
TrojanNotifier.Win32.small.a
On my PC when doing a scan with F-Secure. What is this Trojan/virus. What does it do?

thanks for any advice.

 

hi chris,

could you say what file was affected and like any more info F-secure gave?? while catching the worm??

thx

 

I have rebooted so the report has gone, but it was a dll file which was infected. It was located in the recycle bin. However, when I looked in the bin the only files there were the F-Secure 5.42 (which I just installed after downloading from the official site)and some text files.

I think it was the Kaspersky engine which found it - if that helps.

 

Send to gavin@diamondcs.com.au ?

This means it is a small sized trojan notifier, whos job is either send your IP by ICQ email MSN Yahoo or CGI/PHP script. Whichever it is, its not a known public release or it would usually have a name - so Kaspersky analysts use a generic name, small.a small.b etc

The worry to me here now is that if you only found a DLL theres an EXE, and a notifier is always used if its needed to be bound onto some OTHER trojan - or a rootkit which doesnt have notify. Hacker Defender springs to mind, its open source and I have received a public recompile which evades KAV for now - Im sure they will have a detection within a few days though its a public release.

 

I have identified where this little beast came from. I had been trying out some "leaktests" on my firewall - from a website run by one of the members here. the address is:

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/index.html
The problem is with the "Firehole" leaktest. It does not run on my PC as F-Secure pops up and warns about the trojan.

I know my AV would not let me even download some of them as it identified them as hacker tools. - Has the copy of firehole at that site been modified in some way, or is it just a cast that my AV (F-Secure 5.42) is just identifying this app as a "potential risk"?

 

A bit more info....

Firehole generates a dll when it runs, and it is this that F-Secure is identifying as a trojan. Here is the report F-Secure generated:
*****************************************************
Scanning Report
31 January 2004 11:17:15

Options

--------------------------------------------------------------------------------
Target:
C:\Documents and Settings\?\Desktop\FireDLL.dll
Action:
Ask after scan
Scanning options:
Scan all files
Scan inside archives: on
Scanning Engines:
F-Secure AVP: 4.0.164.5361, 2004-01-28
F-Secure Libra: 2.01.05, 2004-01-20
F-Secure Orion: 1.02.27, 2004-01-30
Results

--------------------------------------------------------------------------------
Boot Sectors
Scanned: 0
Infected: 0
Suspected: 0
Disinfected: 0
Files
Scanned: 1
Infected: 1
Suspected: 0
Disinfected: 0
Renamed: 0
Deleted: 1
Quarantined: 0
Report

--------------------------------------------------------------------------------

C:\Documents and Settings\?\Desktop\FireDLL.dll Infection: TrojanNotifier.Win32.Small.a Deleted.
****************************************************

I would like to know if this dll is harmless or not.

 

Hi Chris,

first of all, no need to worry.

As i have said you last time you contacted me on MSN, i am writing a paper which covers leaktests and firewall/security in general, and your case is in it.
However, since you need immediate help and understanding, i will explain what it means and why there is nothing to worry about.

The leaktest in itself isn't a trojan or malware, it is a tool to help you to check your firewall, to see if it has vulnerabilities.
Many of leaktests has their source code available.

But, the leaktests code in itself which is the exploit, can be used by any trojan/malware, just by mimic the behaviour or simply by copy/past an available leaktest source code into a trojan source code, so the harmless tool helps to create a harmfull malware.
The leaktest isn't a malware, but his code could be used in a malware, so your AV does it's job by detecting the code as a potentialy harmfull code, althought the executable using it, in our case the leaktest, isn't harmfull.

If a ITW trojan tomorrow uses a leaktest trick, it's better that our AV detect it before it hurts.

But leaktests are your friends and aren't trojans or malwares, you can add them to your "exlusion" AV list

Don't hesitate if you have other questions

regards,

gkweb.

 

TrojanNotifier.Win32.small.a
it's a newish icq pager which apparently uses firehole code parts to bypass firewalls, enough code to provoke detection of the kav engine..
the actual notifier is very small, too small to be even packed with an exe packer as the stub would be bigger than the exe..i think i have a sample of this somewhere..
however getting a signature out of such a small file is a chance to get a false positive..there really aint that much of code to extract from..
isn't the firehole.exe flagged by many av's as a trojan? at least firehole functionality is nowadays almost standard in new trojan releases

i think that perso.wanadoo etc links to the original firehole site for the download

 

Yep, well noticed