What is this, (TR/Dldr.small.cml.7)

[Joe]

AntiVir has started reporting
(TR/Dldr.small.cml.7) on each bootup of Win XP
I can find no info (in English) on the web; can someone here help me
out?

 

[edgewalker]

AntiVir has started reporting
(TR/Dldr.small.cml.7) on each bootup of Win XP
I can find no info (in English) on the web; can someone here help me
out?

TR - trojan (program that does something other than what the user expects)

Dldr - downloader (downloads a file, and probably executes it)

small - sort of a generic name for programs of less than some specific size.

The rest you would have to ask the AntiVir about, it is specific to the
malware itself - like a minor variation - and to their naming process.

Where was it found, and what filename did it have?

It might be a false positive declaration of that malware - or not.

 

[Joe]

snip

Where was it found, and what filename did it have?

Found it in windows/system32/winowk32.dll, which I suspect is a random
name.

It might be a false positive declaration of that malware - or not.

I'm a bit worried that it might be a bagle variant, but I have no reason
for this.

 

[kurt wismer]

Found it in windows/system32/winowk32.dll, which I suspect is a random
name.

I'm a bit worried that it might be a bagle variant, but I have no reason
for this.

i suspect that if it had been bagle your anti-virus would have said
bagle... i don't think TR/Dldr.small.cml.7 is a generic name, i think
it's the proper malware name for what you have... hopefully that's all
you've got - a downloader trojan's purpose is to download other malware
onto your computer and run it...

i suspect this page describing trojandownloader.win32.small
(http://www.f-secure.com/v-descs/trdlsmal.shtml) applies to what you've
got...

 

[David H. Lipman]

From: "Joe" <[email protected]>

| AntiVir has started reporting
| (TR/Dldr.small.cml.7) on each bootup of Win XP
| I can find no info (in English) on the web; can someone here help me
| out?


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[edgewalker]

Found it in windows/system32/winowk32.dll, which I suspect is a random
name.

A name like that, and in that location, I suspect you're right.

I'm a bit worried that it might be a bagle variant, but I have no reason
for this.

Bagle schmagle - it's bad enough you have a downloader and you don't
know what it might have done if executed.

Now that you have a filename, you can send that file to online single file
scanners like jotti or virustotal to see what other detectors have to say
about it. You can get more info to determine for yourself if it is a FP or
not, and get some names that other vendors use for this piece of malware.
Armed with new names, even more info becomes available.

 

[Joe]

... hopefully that's all
you've got - a downloader trojan's purpose is to download other malware
onto your computer and run it...

i suspect this page describing trojandownloader.win32.small
(http://www.f-secure.com/v-descs/trdlsmal.shtml) applies to what you've
got...

Aha! yes - that appears to be it. I went looking in the file system, and
found Adservice.bat, adservice.dll along with the winowk32.dll all with
the same date and time. The dlls were both 17408bytes long and identical
in content.
I haven't checked the registry yet, but I'm
feeling better about things now. Renaming the three files just mentioned
makes the problem disappear. (Whether that is the same as "problem goes
away" is yet to be determined.
Thanks VERY much indeed.