Small-DRG in Pagefile.sys [Trj] Win32:Small-DRG

The following Trojan was detected by Avast 4.7-942 yet the only info I can find was that it was included in the Nov 2006 version of VPS. I’ve tried the Avast Virus Cleaner and it completes without finding any viruses. I have also used Kaspersky Internet Security 6.0 from a different operating system loaded on the same computer and it does not find this virus/Trojan.

Does anyone have any information or details on this virus/Trojan, it’s actions, or how to remove it?

Updated with additional info.
Read what to do entry on this board. Updating with answers to those questions. Answers follow questions preceded by ***

  1. How was it detected? What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
    *** Virus was detected by on-demand scan using Avast Home Edition 4.7-942 Virus Database 000730-0 dated April 2, 2007
  2. What was the source of the file, where did the file come from?.: e.g. address, URL, source.
    *** File is C:\Pagefile.sys on Windows XP machine.
  3. When was it downloaded or received?
    *** Unknown
  4. What is the exact file name with extension.
    *** C:\Pagefile.sys
  5. What was the exact wording of the message that the AV program came up with? This is important for later.
    ***avast! Warning / A Trojan Horse Was Found! / There is no reason to panic, though. Try to follow the given advice and links. / File name: C:\Pagefile.sys /
    Malware name: Wind32:Small-DRG [Trj]/ VPS version: 000730-0,04/02/2007 / Recomendded action: Move to chest
  6. Now go back and do nothing yet. Scan the particular file once again with your AV product.
    A. The message is in the same wording: maybe positive alert
    ***Exact same wording and repeatable.
    B. If the message is not in the same wording or the scan does not find up anything this could be a false positive.
  7. Check with an on line scanner or update to jotti for a second opinion. Jotti resides at http://virusscan.jotti.org/
    *** Check with Symantec Online Scanner, no viruses found. File at approximately 2.1 GB was to big for jotti. Exact size 2,145,386,496 bytes
  8. Go get informed ask a Virus Encyclopedia or Virus Central, put a question on a forum.
    *** Checked Virus Encyclopedia and put question on forum.
  9. Make an informed decision on the basis of what you have found.
    *** Will do as I find out more
  10. Inform others about what you have learned, if the file came from a reliable source, author, programmer etc. send a friendly e-mail with your findings. This will help us all.
    *** Will do as I find out more

Does the virus remain active after you boot the computer?
The contents of the pagefile.sys should be replaced and the infection disappear…

Hi RussWH,

Description

Important Note for Users: In order to avoid infection or reinfection from this malware, it is vital that your machine has been patched to address the Malformed Object Tag vulnerability that the malware exploits. Please visit Microsoft to download the relevant patch at: http://www.microsoft.com/technet/security/bulletin/MS03-032.asp.

JunkSurf is a trojan known to be distributed attached to email SPAM. It exploits the Malformed Object Tag vulnerability in Microsoft Internet Explorer to execute code without user’s knowledge.

This malware consists of 3 parts, a HTML file , a CGI script and an executable. The HTML file and CGI script contains MS03-032 exploit code to drop and execute an executable, DRG.EXE (1,536 bytes), which will in turn download and install SURFERBAR.DLL from a web site hosted at IP address 63.246.130.201.

SURFERBAR.DLL (508,000 bytes) is downloaded and saved as “c:\Program Files\win32.dll” on the affected machine. It adds many Internet shortcuts pointing to various web sites that contains adult contents to the affected machine. It carries another executable, WINSRV32.EXE (6,657 bytes), which is used to periodically check its installation on the affected system.

polonus

I have also used Kaspersky Internet Security 6.0 from a different operating system loaded on the same computer and it does not find this virus/Trojan.

Detections in Pagefile.sys are prone to false positive identification of viruses, for some reason. Unless you find traces in other locations, you can probably ignore the warnings, especially if Kaspersky found nothing.

Search the forum for Pagefile.sys and you will see what I#m talking about.

Well, the signature looks quite OK… I wouldn’t expect such a snippet to appear in the pagefile normally.
You can try to scan the operating memory and see if the same detection occurs in any running process. What avast! do you use - Home or Professional?

Thanks to everyone for their comments and suggestions. Sorry for the late reply as I’ve been out a town for a week. The Small-DRG continues to be found in C:\pagefile.sys by Avast Home Edition 4.7 - 942 even after multiple reboots. Polonus, Thank you for the detailed writeup. I’ve read the microsoft link, but I’m thinking that with patch being critical I should have already received that patch long ago as I religiously keep MS patches updated. Please advise if my thinking is wrong here. With search of system files enabled, I’ve searched my system for win32.dll, winsrv32.exe and DRG.EXE and found none of them. Based on your writeup, I’ll add 63.246.130.201 as a restricted site for Internet Explorer. I’ll also tell everyone some more about the system and it’s configuration. The system is loaded with two operating systems Win XP Professional SP2, and Win XP Professional 64 bit Edition, in a dual boot configuration. The Win 32 bit is the on the C:\ drive where the virus is being detected. On this side I’m using Internet Explorer 7.0.5730.11 with 128 bit security. The Win XP 64 Bit side reside on a D:\ logical partition and uses a 64bit version of Internet Explorer 6. I run Avast Home on the 64 bit side and this is what is detecting the Small-DRG [Trj] in C:\pagefile.sys. When I run Kaspersky Internet Security 6.0 from the 32 bit side it detects no viruses.Because I could not seem to remove the virus, I backed up my data, deleted the C partition, recreated and formated the newly created C:\ partition and reloaded Windows, and Kaspersky without being connected to the Internet. I then told Kaspersky to get updates and allowed Internet access to download all the latest updates. I then immediately performed Windows updates, multiple times until all the critical updates were loaded. Then rebooted to the 64bit side to run Avast, where it still reported a virus in C:\Pagefile.sys

I’m beginning to think it’s a false positive, but wanted to be absolutely sure before performing more financial transactions when booted on the 32bit side.

[size=10pt][size=10pt]Small-DRG defeated!!! [/size][/size] First time I did the reinstall of the operating system I remembered that I had installed Win XP SP1 and then updated to SP2 online. During the time to download all those megabytes of info, SMALL-DRG must of slipped in again. Second time did reinstall directly with Win XP SP2, with Internet OFF, Loaded Kaspersky wiht Internet Off, Opened Internet to download Kaspersky updates. Rebooted to WIN 64 side and ran Avast which found SMALL-DRG only in my “moved pagefile.sys” files from previous infection. Rebooted to Win XP Pro 32bit side, open Internet performed all Windows updates. I did put in restrictions on both 32 bit and 64 bit sides by adding 63.246.130.201 as a restricted site. I’ve now been running clean for over 36 overs with multiple clean reboots. :smiley:

As a workaround, you can add the pagefile.sys file to the Exclusion lists of avast.

Small-DRG Defeated

Kind of drastic measures but did finally rid this pesky beast

How… it will be good to learn and know what have you done… ???