How to Prevent and Remove the Trojan.Win32.Small.acyq

1. What is the Trojan.Win32.Small.acyq

Trojan.Win32.Small.acyq is a type of Trojan that runs quietly in the background without the computer user's knowledge. Usually the attacker uses the Trojan.Win32.Small.acyq to connect to a predetermined website to increase the vote counter. Trojan.Win32.Small.acyq is considered as one of the most malicious Trojan virus.

Trojan.Win32.Small.acyq can launch an HTTP server on a random TCP port, this is then used to download the Trojan.Win32.Small.acyq executable file to other computers. Trojan.Win32.Small.acyq is used to act as a legal program to get the illegal purpose. In order to remove Trojan.Win32.Small.acyq, just download Best Spyware Scanner, using its powerful security utility to handle the problem.

Alias: Generic Dropper.ws [McAfee], W32/Scribble-B [Sophos], Virus:Win32/Virut.BM [Microsoft], Virus.Win32.Small [Ikarus], Win32/Virut.E [AhnLab]

2.Technical Details:

a. The following files were created in the system:

#	Filename(s)	File Size
1	%UserProfile%\wuaucldt.exe [file and pathname of the sample #1] %System%\wuaucldt.exe	55,040 bytes
2	%Windir%\Temp\VRT3.tmp	34,816 bytes
3	%Windir%\Temp\VRT4.tmp	3,640 bytes
4	%Windir%\Temp\VRT5.tmp	0 bytes

Notes:
- %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following files were modified:
- [pathname with a string SHARE]\msinfo32.exe
- [pathname with a string SHARE]\sapisvr.exe
- %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
- %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
- %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
- %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
- %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
- %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
- %ProgramFiles%\Internet Explorer\iedw.exe
- %ProgramFiles%\Internet Explorer\IEXPLORE.EXE
- %ProgramFiles%\MSN\MSNIA\msniasvc.exe
- %ProgramFiles%\MSN\MSNIA\prestp.exe
- %ProgramFiles%\MSN\MsnInstaller\msninst.exe
- %ProgramFiles%\NetMeeting\cb32.exe
- %ProgramFiles%\NetMeeting\conf.exe
- %ProgramFiles%\NetMeeting\wb32.exe
- %ProgramFiles%\Outlook Express\msimn.exe
- %ProgramFiles%\Outlook Express\oemig50.exe
- %ProgramFiles%\Outlook Express\setup50.exe
- %ProgramFiles%\Outlook Express\wab.exe
- %ProgramFiles%\Outlook Express\wabmig.exe
- %ProgramFiles%\Web Publish\WPWIZ.EXE
- %ProgramFiles%\Windows Media Player\migrate.exe
- %ProgramFiles%\Windows Media Player\mplayer2.exe
- %ProgramFiles%\Windows Media Player\setup_wm.exe
- %ProgramFiles%\Windows Media Player\wmplayer.exe
- %ProgramFiles%\Windows NT\Accessories\wordpad.exe
- %ProgramFiles%\Windows NT\dialer.exe
- %ProgramFiles%\Windows NT\hypertrm.exe
- %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
- %Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
- %Windir%\hh.exe
- %Windir%\inf\unregmp2.exe
- %Windir%\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
- %Windir%\Microsoft.NET\Framework\NETFXSBS10.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\jsc.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- %Windir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
- %Windir%\msagent\agentsvr.exe
- %Windir%\mui\muisetup.exe
- %Windir%\NOTEPAD.EXE
- %Windir%\pchealth\helpctr\binaries\HelpCtr.exe
- %Windir%\pchealth\helpctr\binaries\HelpHost.exe
- %Windir%\pchealth\helpctr\binaries\HelpSvc.exe
- %Windir%\pchealth\helpctr\binaries\HscUpd.exe
- %Windir%\pchealth\helpctr\binaries\msconfig.exe
- %Windir%\pchealth\helpctr\binaries\notiflag.exe
- %Windir%\pchealth\UploadLB\Binaries\UploadM.exe
- %Windir%\regedit.exe
- %System%\accwiz.exe
- %System%\actmovie.exe
- %System%\ahui.exe
- %System%\arp.exe
- %System%\asr_fmt.exe
- %System%\asr_ldm.exe
- %System%\asr_pfu.exe
- %System%\at.exe
- %System%\atmadm.exe
- %System%\attrib.exe
- %System%\auditusr.exe
- %System%\blastcln.exe
- %System%\bootcfg.exe
- %System%\bootok.exe
- %System%\bootvrfy.exe
- %System%\cacls.exe
- %System%\calc.exe
- %System%\charmap.exe
- %System%\chkdsk.exe
- %System%\chkntfs.exe
- %System%\cidaemon.exe
- %System%\cipher.exe
- %System%\cisvc.exe
- %System%\ckcnv.exe
- %System%\cleanmgr.exe
- %System%\clean_all.exe
- %System%\cliconfg.exe
- %System%\clipbrd.exe
- %System%\clipsrv.exe
- %System%\cmd.exe
- %System%\cmdl32.exe
- %System%\cmmon32.exe
- %System%\cmstp.exe
- %System%\Com\comrepl.exe
- %System%\Com\comrereg.exe
- %System%\comp.exe
- %System%\compact.exe
- %System%\conime.exe
- %System%\control.exe
- %System%\convert.exe
- %System%\cscript.exe
- %System%\ctfmon.exe
- %System%\dcomcnfg.exe

Notes:
- %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:
- c:\System Volume Information\.
- c:\System Volume Information\..

b. Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
wuaucldt.exe	%System%\wuaucldt.exe	55,040 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	110,592 bytes
svchost.exe	%System%\svchost.exe	114,688 bytes

c. Registry Modifications

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  - wuaucldt = "%System%\wuaucldt.exe"
  - Regedit32 = "%System%\regedit.exe"
  so that wuaucldt.exe runs every time Windows starts
  so that regedit.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\MSMapiApps]
  - outlook.exe = ""
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
  - UpdateHost = FF F0 3C BE DE 8B
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  - ProxyEnable = 0x00000000
- [HKEY_CURRENT_USER\Software\Microsoft]
  - OSVersion = "1476760"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
  - VendorId = DD 2F 92 01 CD A9 E7 47 A6 DA 02 04 4D EC E6 AE
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  - wuaucldt = "%UserProfile%\wuaucldt.exe"
  so that wuaucldt.exe runs every time Windows starts

The following Registry Value was modified:
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
  - Cookies =
  - Cache =
  - History =

d. Other details

The HOSTS file was updated with the following URL-to-IP mappings:

127.0.0.1 jL.chura.pl
#

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
118.67.65.194	443
122.219.252.105	443
125.53.25.30	443
133.26.200.10	443
200.143.10.165	443
200.234.192.141	443
200.234.223.237	443
201.49.212.100	443
201.76.41.87	443
202.191.113.9	443
60.190.222.139	65520
91.193.194.98	80

The data identified by the following URL was then requested from the remote web server:
- http://ad.ghura.pl/rc.exe

3. How-to's

a. How to prevent the Trojan.Win32.Small.acyq ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Trojan.Win32.Small.acyq Manually?

Step 1 : Use Windows Task Manager to Remove Trojan.Win32.Small.acyq Processes

wuaucldt.exe

Step 2 : Use Registry Editor to Remove Trojan.Win32.Small.acyq Registry Values

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
wuaucldt = "%System%\wuaucldt.exe"
Regedit32 = "%System%\regedit.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\MSMapiApps]
outlook.exe = ""
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
UpdateHost = FF F0 3C BE DE 8B
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0x00000000
[HKEY_CURRENT_USER\Software\Microsoft]
OSVersion = "1476760"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
VendorId = DD 2F 92 01 CD A9 E7 47 A6 DA 02 04 4D EC E6 AE
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
wuaucldt = "%UserProfile%\wuaucldt.exe"

Step3: Detect and Delete Other Trojan.Win32.Small.acyq Files

%UserProfile%\wuaucldt.exe
[file and pathname of the sample #1]
%System%\wuaucldt.exe
%Windir%\Temp\VRT3.tmp
%Windir%\Temp\VRT4.tmp
%Windir%\Temp\VRT5.tmp

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm