Trojan-Proxy.Win32.Mitglieder.ee
| Alert Level : | Medium |
| Discovered: | Nov 30 2006 |
| Tag: | Trojan-Proxy-Servers |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan program makes it possible for a remote malicious user to use the victim machine as a proxy mail server. It is a Windows PE EXE file.
It is 8,768 bytes in size, and packed using FSG. The unpacked file is approximately 53KB in size.
InstallationThis Trojan was mass mailed as an attachment to messages with the following contents:
Once launched, the Trojan copies itself to the Windows root directory as "winhost.exe":
%System%/winhost.exeIt then registers this file in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"winhost" = "%System%/winhost.exe"
This ensures that the Trojan will be launched each time Windows is rebooted on the victim machine.
The Trojan also creates the following system registry keys:
[HKCU\Software\Timeout]"uid" = <random 9 figure number>
"pid" = <Winhost process idenitifier>
"port" = 9085
In order to evade the Windows XP firewall, the Trojan creates the following registry keys:
[HKLM\System\CurrentControlSet
"%System%\winhost.exe"="%System%\winhost.exe:*:Enabled:winhost"
[HKLM\System\ControlSet001
"%System%\winhost.exe"="%System%\winhost.exe:*:Enabled:winhost"
[HKLM\System\ControlSet002
"%System%\winhost.exe"="%System%\winhost.exe:*:Enabled:winhost"
[HKLM\System\ControlSet003
"%System%\winhost.exe"="%System%\winhost.exe:*:Enabled:winhost"
This means winhost.exe will be included in the Windows firewall list of trusted processes:
Payload
The Trojan launches a mail proxy server on TCP port 9085. It has the following functionality:
- Sending spam
- Downloading and launching files
- Updating - a downloaded file will be launched, and the source file will be deleted.
In order to communicate with its author/ user, the Trojan connects to the following sites in turn:
http://64.***.44.10/init.php http://64.**.212.12/in.php http://68.**.54.122/in.php http://blo***sm.net/img/ini.php http://mot***three.com/img/in.php http://nine***one.ca/images/in.php http://pa**my.ru/_old_img/in.php http://re***n.com/init.php http://ta***t2k.com/img/ini.php http://the***hops.com http://www.b***g.org/init.php http://www.car***ods.com/inn.php http://www.evoc***tions.com/img/in.php http://www.evoc***tions.com/img/in.php http://www.lad***ars.com/in.php http://www.to***isi.net/init.php http://za***a.net/init.php
The worm searches for the following processes in memory and attempts to delete them:
Avpupd.exe LuCallbackProxy.exe drwebupw.exe nod32krn.exe nod32kui.exe
The worm also attempts to download a file from http://www.b***g.org/img/ssav.exe. The file will be downloaded, saved to %Windir%/ssav.exe and launched for execution. The following registry key will be created:
[HKCU\Software\Timeout]"ssav" = 1
Removal Trojan-Proxy.Win32.Mitglieder.ee instructions:
- Use Task Manager to delete the following process:
- Delete the following registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winhost" = "%System%/winhost.exe" - Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine) and the copy of itself which the Trojan creates: %System%/winhost.exe
- Delete the following registry keys:
[HKLM\System\CurrentControlSet
\Services\SharedAccess \Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications \List]
Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!
