Help."TrojanNotifier.Win32.small.a" found on my PC

Discussion in 'malware problems & news' started by ChrisP, Jan 30, 2004.

Thread Status:
Not open for further replies.
  1. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I found:
    TrojanNotifier.Win32.small.a
    On my PC when doing a scan with F-Secure. What is this Trojan/virus. What does it do?

    thanks for any advice.
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi chris,

    could you say what file was affected and like any more info F-secure gave?? while catching the worm??

    thx
     
  3. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I have rebooted so the report has gone, but it was a dll file which was infected. It was located in the recycle bin. However, when I looked in the bin the only files there were the F-Secure 5.42 (which I just installed after downloading from the official site)and some text files.

    I think it was the Kaspersky engine which found it - if that helps.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Send to gavin@diamondcs.com.au ?

    This means it is a small sized trojan notifier, whos job is either send your IP by ICQ email MSN Yahoo or CGI/PHP script. Whichever it is, its not a known public release or it would usually have a name - so Kaspersky analysts use a generic name, small.a small.b etc

    The worry to me here now is that if you only found a DLL theres an EXE, and a notifier is always used if its needed to be bound onto some OTHER trojan - or a rootkit which doesnt have notify. Hacker Defender springs to mind, its open source and I have received a public recompile which evades KAV for now - Im sure they will have a detection within a few days though its a public release.
     
  5. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I have identified where this little beast came from. I had been trying out some "leaktests" on my firewall - from a website run by one of the members here. the address is:

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/index.html
    The problem is with the "Firehole" leaktest. It does not run on my PC as F-Secure pops up and warns about the trojan.

    I know my AV would not let me even download some of them as it identified them as hacker tools. - Has the copy of firehole at that site been modified in some way, or is it just a cast that my AV (F-Secure 5.42) is just identifying this app as a "potential risk"?
     
  6. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    A bit more info....

    Firehole generates a dll when it runs, and it is this that F-Secure is identifying as a trojan. Here is the report F-Secure generated:
    *****************************************************
    Scanning Report
    31 January 2004 11:17:15

    Options

    --------------------------------------------------------------------------------
    Target:
    C:\Documents and Settings\o_Oo_O?\Desktop\FireDLL.dll
    Action:
    Ask after scan
    Scanning options:
    Scan all files
    Scan inside archives: on
    Scanning Engines:
    F-Secure AVP: 4.0.164.5361, 2004-01-28
    F-Secure Libra: 2.01.05, 2004-01-20
    F-Secure Orion: 1.02.27, 2004-01-30
    Results

    --------------------------------------------------------------------------------
    Boot Sectors
    Scanned: 0
    Infected: 0
    Suspected: 0
    Disinfected: 0
    Files
    Scanned: 1
    Infected: 1
    Suspected: 0
    Disinfected: 0
    Renamed: 0
    Deleted: 1
    Quarantined: 0
    Report

    --------------------------------------------------------------------------------

    C:\Documents and Settings\o_Oo_O?\Desktop\FireDLL.dll Infection: TrojanNotifier.Win32.Small.a Deleted.
    ****************************************************

    I would like to know if this dll is harmless or not.
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    I'd have to say that F-Secure is just flagging the potential risk in this case. I just checked the version of firehole.exe that is available at that website and it is identical to the version I have saved from back in 2002, so it is not a different firehole.

    I'd say this is not something to worry about. Your AV did it's job in the sense that there was potential there. Yes, in this case it's a leaktest, but the alternative is to weaken the detection to let this leaktest go unnoticed, which might very well allow a real piece of malware through. For me, I'd go with alerting on this file if given the choice.

    Of course, our friend gkweb is the author and owner of that firewall leaktest site.
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi Chris,

    first of all, no need to worry.

    As i have said you last time you contacted me on MSN, i am writing a paper which covers leaktests and firewall/security in general, and your case is in it.
    However, since you need immediate help and understanding, i will explain what it means and why there is nothing to worry about.

    The leaktest in itself isn't a trojan or malware, it is a tool to help you to check your firewall, to see if it has vulnerabilities.
    Many of leaktests has their source code available.

    But, the leaktests code in itself which is the exploit, can be used by any trojan/malware, just by mimic the behaviour or simply by copy/past an available leaktest source code into a trojan source code, so the harmless tool helps to create a harmfull malware.
    The leaktest isn't a malware, but his code could be used in a malware, so your AV does it's job by detecting the code as a potentialy harmfull code, althought the executable using it, in our case the leaktest, isn't harmfull.

    If a ITW trojan tomorrow uses a leaktest trick, it's better that our AV detect it before it hurts.

    But leaktests are your friends and aren't trojans or malwares, you can add them to your "exlusion" AV list :)

    Don't hesitate if you have other questions ;)

    regards,

    gkweb.
     
  9. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    TrojanNotifier.Win32.small.a
    it's a newish icq pager which apparently uses firehole code parts to bypass firewalls, enough code to provoke detection of the kav engine..
    the actual notifier is very small, too small to be even packed with an exe packer as the stub would be bigger than the exe..i think i have a sample of this somewhere..
    however getting a signature out of such a small file is a chance to get a false positive..there really aint that much of code to extract from..
    isn't the firehole.exe flagged by many av's as a trojan? at least firehole functionality is nowadays almost standard in new trojan releases

    i think that perso.wanadoo etc links to the original firehole site for the download
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yep, well noticed ;)
     
Loading...
Thread Status:
Not open for further replies.