ALIASES:

Proxy

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

PROXY malware is known to act as a proxy server, allowing remote malicious users to utilize the affected systems in order to hide their identities when performing malicious activities. Its variants are mainly seen being involved in spam attacks.

PROXY malware are usually downloaded and/or dropped into systems by way of spammed messages with suspicious attachments. It steals the affected computer's name.

Some PROXY Trojans may upload and download files. Others may have the capability to run a command prompt on the infected machine.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Compromises system security, Connects to URLs/IPs, Steals information

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • %User Temp%\wuweb.exe
  • %User Startup%\msproof.exe
  • %User Temp%\{malware name}.pdf

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It drops the following copies of itself into the affected system:

  • %System%\vhosts.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This Trojan modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,,{malware path}\{malware name}.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe.)

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\msupdate
ImagePath = "%System%\vhosts.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\msupdate
DisplayName = "Microsoft security update service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\msupdate
Description = "This service downloading and installing Windows security updates"

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\msupdate

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}te.{BLOCKED}user.com:443
  • http://www.{BLOCKED}d.{BLOCKED}r.jp/main/map/news/index.php
  • http://www.{BLOCKED}d.{BLOCKED}r.jp/main/map/news/xmlrpc.php
  • http://www.{BLOCKED}d.{BLOCKED}r.jp/main/map/news/feeds.php
  • http://www.{BLOCKED}d.{BLOCKED}r.jp/main/map/news/show.php
  • http://www.{BLOCKED}d.{BLOCKED}r.jp/main/map/news/files/
  • http://{BLOCKED}0.2.131.201/{random characters}d.jsp?{random characters}
  • http://{BLOCKED}c.{BLOCKOED}list.org/main/map/news/index.php
  • http://{BLOCKED}c.{BLOCKED}list.org/main/map/news/xmlrpc.php
  • http://{BLOCKED}c.{BLOCKED}list.org/main/map/news/feeds.php
  • http://{BLOCKED}c.{BLOCKED}elist.org/main/map/news/show.php
  • http://{BLOCKED}c.{BLOCKED}list.org/main/map/news/files/
  • http://www.{BLOCKED}s.co.jp/main/map/news/index.php
  • http://www.{BLOCKED}s.{BLOCKED}o.jp/main/map/news/xmlrpc.php
  • http://www.{BLOCKED}s.co.jp/main/map/news/feeds.php
  • http://www.{BLOCKED}s.co.jp/main/map/news/show.php
  • http://www.{BLOCKED}s.co.jp/main/map/news/files/
  • http://{BLOCKED}k.jp/main/map/news/index.php
  • http://{BLOCKED}k.jp/main/map/news/xmlrpc.php
  • http://{BLOCKED}k.jp/main/map/news/feeds.php
  • http://{BLOCKED}k.jp/main/map/news/show.php
  • http://{BLOCKED}k.jp/main/map/news/files/
  • http://{BLOCKED}lherbalsinc.com/so/stat.php