Win32/ProxyChanger [Threat Name] go to Threat

Win32/ProxyChanger.NA [Threat Variant Name]

Category trojan
Size 2099200 B
Detection created Jan 08, 2014
Detection database version 9265
Aliases Trojan.Win32.BHO.cfmv (Kaspersky)
  TrojanDownloader:Win32/Qhost (Microsoft)
  TR/BHO.cfmv (Avira)
Short description

Win32/ProxyChanger.NA is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.

Installation

The trojan does not create any copies of itself.

Information stealing

The trojan collects the following information:

  • computer name

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

Win32/ProxyChanger.NA is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.


The trojan replaces the following file by one downloaded from the Internet:

  • C:\­WINDOWS\­system32\­drivers\­etc\­hosts
  • C:\­WINDOWS\­system32\­drivers\­etc\­lmhosts
  • C:\­WINDOWS\­system32\­drivers\­etc\­lmhosts.sam

The trojan contains a list of 4 URLs. The HTTP protocol is used.


The trojan may redirect the user to the attacker's web sites.


The trojan may delete the following files:

  • C:\­WINDOWS\­hosts
  • C:\­WINDOWS\­lmhosts
  • C:\­WINDOWS\­system32\­drivers\­etc\­hosts
  • C:\­WINDOWS\­system32\­drivers\­etc\­lmhosts
  • C:\­WINDOWS\­system32\­drivers\­etc\­lmhosts.sam
  • C:\­WINDOWS\­system32\­jiraia

The trojan may create the following files:

  • C:\­WINDOWS\­system32\­cruzeiro3.txt (0 B)
  • C:\­WINDOWS\­system32\­moitano.dat (0 B)
  • C:\­updatezinhcao2.txt (0 B)

The trojan can download a file from the Internet.


The file is stored in the following location:

  • c:\­merlim.exe

The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.