Mischel Internet Security - Blog

Today a trojan sample landed in my inbox, and a closer look showed it to be a trojan downloader. The unique thing about the file is that it is only 474 bytes in size - something almost unheard of. The PE (Portable Executable) file format normally requires a header that is at least 512 bytes, with another 512 bytes for the first code section, for a total of a 1-kilobyte file.

When analyzed, the file ran perfectly under Windows XP, and downloaded and executed a file from the Internet. You can see a hex view of the entire file to the right (with the URL it downloads from obscured).

A PE file consists of two headers - an old DOS header (a legacy header required for compatibility purposes), and the new PE header. Normally, the DOS header contains code that will print out a message saying “This program must be run under Win32″, if anyone attempts to execute it in DOS mode. This file’s DOS header only contains the mandatory MZ signature and is followed with the PE signature after two null bytes. The pointer to the PE header actually points into the DOS header, meaning the two have been merged to save space.

Here is a breakdown of the unique file header for this file:

Here is a disassembly of the code, starting at the entry point:

As we can see, the downloader simply uses UrlDownloadToFileA to download the file from the specified URL, calls ShellExecuteA to run the file and then terminates. I can tell you that someone went through a lot of trouble to create a downloader with that small of a file size.

I predict we’ll see a lot more of these in the near future. I’ve just updated TrojanHunter’s generic detection routines to catch these, so if you’re a TrojanHunter user you can feel safe about these downloaders.