Home>Trojan Programs>Other Trojan>

Trojan-Proxy.Win32.Ranky.cq

Alert Level :	Medium
Discovered:	Apr 11 2006
Tag:	Trojan-Proxy-Servers
Discoverer and Source:	http://www.kaspersky.com/

Malware Behavior and Technical Description

This Trojan program makes it possible for a remote malicious user to use the machine as a proxy-server.

The Trojan itself is a Windows PE EXE file written in Visual C , packed using UPX. The file can be between 39KB - 53KB in size.

Installation

Once launched, the Trojan registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Services"="<path to Trojan program>"

The Trojan creates a unique identifier, "Windows-Update-Service" to flag its presence in the system.

Payload

Once launched, the Trojan listens on a random TCP port to realize the proxy-server function. The number of the port chosen is randomly generated, and will be in the range 1025 - 5024. If it is not possible to listen on this port, a new attempt will be made, with the port number being regenerated.

The worm then establishes a connection to cb.im***itethinking.biz. If this is unsucessful, the attempt will be repeated at 15 minute intervals.

If the connection is successful, the number of the port which the Trojan is listening on will be encoded and transmitted to port 3878 on the server in encrypted form.

Once the remote malicious user receives this data, s/he will be able to use the victim machine as a proxy-server.

Removal Trojan-Proxy.Win32.Ranky.cq instructions:

1. Determine the name of the Trojan program by using regedit or another utility to edit the system registry. View the "Services" parameter in the [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] key; this parameter gives the full path to the malicious program.
2. Use Task Manager to terminate the process with the Trojan name.
3. Delete the original Trojan file.
4. Delete the following value from the system registry key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   

   Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!

   Great Anti-Virus Software : Kaspersky Internet Security 2009 Save 35% Buy Panda Global Protection 2009 and Panda Antiviru Download PandaLabs Reports Free AVG virus removel tools Hunting Down Spyware and Adware Adware and spyware, knowing the basics Adware Spyware Remover from CBAdvance Keeping Your Computer in Good Condition Using Free Spyware A Beware of Covert Online Spies Why the Need to Remove Adware and Spyware