Win32/TrojanProxy.Small.NP [Threat Name] go to Threat

Win32/TrojanProxy.Small.NP [Threat Variant Name]

Category trojan
Size 48640 B
Detection created May 16, 2008
Detection database version 3105
Aliases Trojan.Win32.Pakes.jrs (Kaspersky)
  Backdoor.Trojan (Symantec)
  Generic.dx (McAfee)
Short description

Win32/TrojanProxy.Small.NP is a trojan that is used for spam distribution. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the folder: %windir% with the following file names:

  • services.exe

The file is then executed.


The trojan deletes the original file.


The following file is dropped into the %system%\drivers\ folder:

  • beeper.sys (4416 B)

Installs the following system drivers:

  • beeper.sys

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "runservices" = "%windir%\­services.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­beep]
    • "ImagePath" = "%system%\­DRIVERS\­beeper.sys"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Desktop]
    • "id" = %number%
    • "host" = "66.232.101.162"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­WindowsNT\­CurrentVersion\­Winlogon\­GPExtensions\­{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
    • "ForceRefreshFG" = 0
    • "PrevRsopLogging" = 1
    • "PrevSlowLink" = 0
    • "RsopStatus" = 0
    • "Status" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­services]
    • "del" = %filepath%
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center]
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1

The variable %number% represents a variable 12 digit number.


The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Associations]
    • "DefaultFileTypeRisk" = 1807
    • "ModRiskFileTypes" = ".exe"

This prevents Windows from displaying the Security Warning when launching a file downloaded from the Internet.

Payload information

The trojan can be used for sending spam.


The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used in the communication.


The recipient address is one of the following:

  • %variable%@hotmail.com
  • %variable%@yahoo.com
  • %variable%@aol.com
  • %variable%@google.com
  • %variable%@mail.com

A string with variable content is used instead of %variable% .


The SMTP protocol is used.

Other information

The following services are disabled:

  • wscsvc (Security Center)
  • sharedaccess (Windows Firewall/Internet Connection Sharing (ICS))

The trojan replaces the following file by one downloaded from the Internet:

  • %system%\­drivers\­etc\­hosts

It contains the following text:

  • 0.0.0.0 avgate.net
  • 0.0.0.0 ad.doubleclick.net
  • 0.0.0.0 ad.fastclick.net
  • 0.0.0.0 ads.fastclick.net
  • 0.0.0.0 ar.atwola.com
  • 0.0.0.0 atdmt.com
  • 0.0.0.0 avp.ch
  • 0.0.0.0 avp.com
  • 0.0.0.0 avp.ru
  • 0.0.0.0 avast.com
  • 0.0.0.0 awaps.net
  • 0.0.0.0 banner.fastclick.net
  • 0.0.0.0 banners.fastclick.net
  • 0.0.0.0 click.atdmt.com
  • 0.0.0.0 clicks.atdmt.com
  • 0.0.0.0 customer.symantec.com
  • 0.0.0.0 dispatch.mcafee.com
  • 0.0.0.0 download.mcafee.com
  • 0.0.0.0 download.microsoft.com
  • 0.0.0.0 downloads.microsoft.com
  • 0.0.0.0 downloads1.kaspersky-labs.com
  • 0.0.0.0 downloads2.kaspersky-labs.com
  • 0.0.0.0 downloads3.kaspersky-labs.com
  • 0.0.0.0 downloads4.kaspersky-labs.com
  • 0.0.0.0 engine.awaps.net
  • 0.0.0.0 fastclick.net
  • 0.0.0.0 f-secure.com
  • 0.0.0.0 ftp.f-secure.com
  • 0.0.0.0 ftp.sophos.com
  • 0.0.0.0 ftp://downloads1.kaspersky-labs.com/updates/
  • 0.0.0.0 ftp://avp.ch/updates/
  • 0.0.0.0 ftp://ftp.kasperskylab.ru/updates/
  • 0.0.0.0 ftp://updates3.kaspersky-labs.com/updates/
  • 0.0.0.0 go.microsoft.com
  • 0.0.0.0 http://updates1.kaspersky-labs.com/updates/
  • 0.0.0.0 http://updates2.kaspersky-labs.com/updates/
  • 0.0.0.0 http://updates3.kaspersky-labs.com/updates/
  • 0.0.0.0 http://updates4.kaspersky-labs.com/updates/
  • 0.0.0.0 http://updates5.kaspersky-labs.com/updates/
  • 0.0.0.0 http://www.kaspersky.ru/updates/
  • 0.0.0.0 http://www.kaspersky-labs.com/updates/
  • 0.0.0.0 ids.kaspersky-labs.com
  • 0.0.0.0 kaspersky-labs.com
  • 0.0.0.0 liveupdate.symantec.com
  • 0.0.0.0 liveupdate.symantecliveupdate.com
  • 0.0.0.0 mast.mcafee.com
  • 0.0.0.0 media.fastclick.net
  • 0.0.0.0 msdn.microsoft.com
  • 0.0.0.0 my-etrust.com
  • 0.0.0.0 networkassociates.com
  • 0.0.0.0 office.microsoft.com
  • 0.0.0.0 phx.corporate-ir.net
  • 0.0.0.0 rads.mcafee.com
  • 0.0.0.0 secure.nai.com
  • 0.0.0.0 securityresponse.symantec.com
  • 0.0.0.0 servicel.symantec.com
  • 0.0.0.0 spd.atdmt.com
  • 0.0.0.0 support.microsoft.com
  • 0.0.0.0 update.symantec.com
  • 0.0.0.0 updates.symantec.com
  • 0.0.0.0 us.mcafee.com
  • 0.0.0.0 vil.nai.com
  • 0.0.0.0 viruslist.com
  • 0.0.0.0 viruslist.ru
  • 0.0.0.0 windowsupdate.microsoft.com
  • 0.0.0.0 www.avp.ch
  • 0.0.0.0 www.avp.com
  • 0.0.0.0 www.avp.ru
  • 0.0.0.0 www.avast.com
  • 0.0.0.0 www.awaps.net
  • 0.0.0.0 www.fastclick.net
  • 0.0.0.0 www.f-secure.com
  • 0.0.0.0 www.grisoft.com
  • 0.0.0.0 www.kaspersky.ru
  • 0.0.0.0 www.my-etrust.com
  • 0.0.0.0 www.networkassociates.com
  • 0.0.0.0 www.viruslist.com
  • 0.0.0.0 www.viruslist.ru
  • 0.0.0.0 jotti.org
  • 0.0.0.0 www.jotti.org
  • 0.0.0.0 drweb.ru
  • 0.0.0.0 www.drweb.ru
  • 0.0.0.0 drweb.com
  • 0.0.0.0 www.drweb.com
  • 0.0.0.0 eset.com
  • 0.0.0.0 www.eset.com
  • 0.0.0.0 avira.com
  • 0.0.0.0 www.avira.com
  • 0.0.0.0 avira.de
  • 0.0.0.0 www.avira.de
  • 0.0.0.0 mcafee.com
  • 0.0.0.0 www.mcafee.com
  • 0.0.0.0 mcafee.net
  • 0.0.0.0 www.mcafee.net
  • 0.0.0.0 mcafee.org
  • 0.0.0.0 www.mcafee.org
  • 0.0.0.0 mcafeesecurity.com
  • 0.0.0.0 www.mcafeesecurity.com
  • 0.0.0.0 mcafeesecurity.net
  • 0.0.0.0 www.mcafeesecurity.net
  • 0.0.0.0 mcafeesecurity.org
  • 0.0.0.0 www.mcafeesecurity.org
  • 0.0.0.0 mcafeeb2b.com
  • 0.0.0.0 www.mcafeeb2b.com
  • 0.0.0.0 mcafeeb2b.net
  • 0.0.0.0 www.mcafeeb2b.net
  • 0.0.0.0 mcafeeb2b.org
  • 0.0.0.0 www.mcafeeb2b.org
  • 0.0.0.0 nai.com
  • 0.0.0.0 www.nai.com
  • 0.0.0.0 nai.net
  • 0.0.0.0 www.nai.net
  • 0.0.0.0 nai.org
  • 0.0.0.0 www.nai.org
  • 0.0.0.0 vil.nai.com
  • 0.0.0.0 www.vil.nai.com
  • 0.0.0.0 vil.nai.net
  • 0.0.0.0 www.vil.nai.net
  • 0.0.0.0 vil.nai.org
  • 0.0.0.0 www.vil.nai.org
  • 0.0.0.0 grisoft.com
  • 0.0.0.0 www.grisoft.com
  • 0.0.0.0 grisoft.net
  • 0.0.0.0 www.grisoft.net
  • 0.0.0.0 grisoft.org
  • 0.0.0.0 www.grisoft.org
  • 0.0.0.0 kaspersky-labs.com
  • 0.0.0.0 www.kaspersky-labs.com
  • 0.0.0.0 kaspersky-labs.net
  • 0.0.0.0 www.kaspersky-labs.net
  • 0.0.0.0 kaspersky-labs.org
  • 0.0.0.0 www.kaspersky-labs.org
  • 0.0.0.0 kaspersky.com
  • 0.0.0.0 www.kaspersky.com
  • 0.0.0.0 kaspersky.net
  • 0.0.0.0 www.kaspersky.net
  • 0.0.0.0 kaspersky.org
  • 0.0.0.0 www.kaspersky.org
  • 0.0.0.0 downloads1.kaspersky-labs.com
  • 0.0.0.0 www.downloads1.kaspersky-labs.com
  • 0.0.0.0 downloads2.kaspersky-labs.com
  • 0.0.0.0 www.downloads2.kaspersky-labs.com
  • 0.0.0.0 downloads3.kaspersky-labs.com
  • 0.0.0.0 www.downloads3.kaspersky-labs.com
  • 0.0.0.0 downloads4.kaspersky-labs.com
  • 0.0.0.0 www.downloads4.kaspersky-labs.com
  • 0.0.0.0 download.mcafee.com
  • 0.0.0.0 www.download.mcafee.com
  • 0.0.0.0 download.mcafee.net
  • 0.0.0.0 www.download.mcafee.net
  • 0.0.0.0 download.mcafee.org
  • 0.0.0.0 www.download.mcafee.org
  • 0.0.0.0 norton.com
  • 0.0.0.0 www.norton.com
  • 0.0.0.0 norton.net
  • 0.0.0.0 www.norton.net
  • 0.0.0.0 norton.org
  • 0.0.0.0 www.norton.org
  • 0.0.0.0 symantec.com
  • 0.0.0.0 www.symantec.com
  • 0.0.0.0 symantec.net
  • 0.0.0.0 www.symantec.net
  • 0.0.0.0 symantec.org
  • 0.0.0.0 www.symantec.org
  • 0.0.0.0 liveupdate.symantecliveupdate.com
  • 0.0.0.0 www.liveupdate.symantecliveupdate.com
  • 0.0.0.0 liveupdate.symantecliveupdate.net
  • 0.0.0.0 www.liveupdate.symantecliveupdate.net
  • 0.0.0.0 liveupdate.symantecliveupdate.org
  • 0.0.0.0 www.liveupdate.symantecliveupdate.org
  • 0.0.0.0 liveupdate.symantec.com
  • 0.0.0.0 www.liveupdate.symantec.com
  • 0.0.0.0 liveupdate.symantec.net
  • 0.0.0.0 www.liveupdate.symantec.net
  • 0.0.0.0 liveupdate.symantec.org
  • 0.0.0.0 www.liveupdate.symantec.org
  • 0.0.0.0 update.symantec.com
  • 0.0.0.0 www.update.symantec.com
  • 0.0.0.0 update.symantec.net
  • 0.0.0.0 www.update.symantec.net
  • 0.0.0.0 update.symantec.org
  • 0.0.0.0 www.update.symantec.org
  • 0.0.0.0 securityresponse.symantec.com
  • 0.0.0.0 www.securityresponse.symantec.com
  • 0.0.0.0 securityresponse.symantec.net
  • 0.0.0.0 www.securityresponse.symantec.net
  • 0.0.0.0 securityresponse.symantec.org
  • 0.0.0.0 www.securityresponse.symantec.org
  • 0.0.0.0 sarc.com
  • 0.0.0.0 www.sarc.com
  • 0.0.0.0 sarc.net
  • 0.0.0.0 www.sarc.net
  • 0.0.0.0 sarc.org
  • 0.0.0.0 www.sarc.org
  • 0.0.0.0 vaksin.com
  • 0.0.0.0 www.vaksin.com
  • 0.0.0.0 vaksin.net
  • 0.0.0.0 www.vaksin.net
  • 0.0.0.0 vaksin.org
  • 0.0.0.0 www.vaksin.org
  • 0.0.0.0 forum.vaksin.com
  • 0.0.0.0 www.forum.vaksin.com
  • 0.0.0.0 forum.vaksin.net
  • 0.0.0.0 www.forum.vaksin.net
  • 0.0.0.0 forum.vaksin.org
  • 0.0.0.0 www.forum.vaksin.org
  • 0.0.0.0 norman.com
  • 0.0.0.0 www.norman.com
  • 0.0.0.0 norman.net
  • 0.0.0.0 www.norman.net
  • 0.0.0.0 norman.org
  • 0.0.0.0 www.norman.org
  • 0.0.0.0 trendmicro.com
  • 0.0.0.0 www.trendmicro.com
  • 0.0.0.0 trendmicro.net
  • 0.0.0.0 www.trendmicro.net
  • 0.0.0.0 trendmicro.org
  • 0.0.0.0 www.trendmicro.org
  • 0.0.0.0 trendmicro-europe.com
  • 0.0.0.0 www.trendmicro-europe.com
  • 0.0.0.0 trendmicro-europe.net
  • 0.0.0.0 www.trendmicro-europe.net
  • 0.0.0.0 trendmicro-europe.org
  • 0.0.0.0 www.trendmicro-europe.org
  • 0.0.0.0 ae.trendmicro-europe.com
  • 0.0.0.0 www.ae.trendmicro-europe.com
  • 0.0.0.0 ae.trendmicro-europe.net
  • 0.0.0.0 www.ae.trendmicro-europe.net
  • 0.0.0.0 ae.trendmicro-europe.org
  • 0.0.0.0 www.ae.trendmicro-europe.org
  • 0.0.0.0 it.trendmicro-europe.com
  • 0.0.0.0 www.it.trendmicro-europe.com
  • 0.0.0.0 it.trendmicro-europe.net
  • 0.0.0.0 www.it.trendmicro-europe.net
  • 0.0.0.0 it.trendmicro-europe.org
  • 0.0.0.0 www.it.trendmicro-europe.org
  • 0.0.0.0 secunia.com
  • 0.0.0.0 www.secunia.com
  • 0.0.0.0 secunia.net
  • 0.0.0.0 www.secunia.net
  • 0.0.0.0 secunia.org
  • 0.0.0.0 www.secunia.org
  • 0.0.0.0 winantivirus.com
  • 0.0.0.0 www.winantivirus.com
  • 0.0.0.0 winantivirus.net
  • 0.0.0.0 www.winantivirus.net
  • 0.0.0.0 winantivirus.org
  • 0.0.0.0 www.winantivirus.org
  • 0.0.0.0 pandasoftware.com
  • 0.0.0.0 www.pandasoftware.com
  • 0.0.0.0 pandasoftware.net
  • 0.0.0.0 www.pandasoftware.net
  • 0.0.0.0 pandasoftware.org
  • 0.0.0.0 www.pandasoftware.org
  • 0.0.0.0 esafe.com
  • 0.0.0.0 www.esafe.com
  • 0.0.0.0 esafe.net
  • 0.0.0.0 www.esafe.net
  • 0.0.0.0 esafe.org
  • 0.0.0.0 www.esafe.org
  • 0.0.0.0 f-secure.com
  • 0.0.0.0 www.f-secure.com
  • 0.0.0.0 f-secure.net
  • 0.0.0.0 www.f-secure.net
  • 0.0.0.0 f-secure.org
  • 0.0.0.0 www.f-secure.org
  • 0.0.0.0 europe.f-secure.com
  • 0.0.0.0 www.europe.f-secure.com
  • 0.0.0.0 europe.f-secure.net
  • 0.0.0.0 www.europe.f-secure.net
  • 0.0.0.0 europe.f-secure.org
  • 0.0.0.0 www.europe.f-secure.org
  • 0.0.0.0 bhs.com
  • 0.0.0.0 www.bhs.com
  • 0.0.0.0 bhs.net
  • 0.0.0.0 www.bhs.net
  • 0.0.0.0 bhs.org
  • 0.0.0.0 www.bhs.org
  • 0.0.0.0 datafellows.com
  • 0.0.0.0 www.datafellows.com
  • 0.0.0.0 datafellows.net
  • 0.0.0.0 www.datafellows.net
  • 0.0.0.0 datafellows.org
  • 0.0.0.0 www.datafellows.org
  • 0.0.0.0 cheyenne.com
  • 0.0.0.0 www.cheyenne.com
  • 0.0.0.0 cheyenne.net
  • 0.0.0.0 www.cheyenne.net
  • 0.0.0.0 cheyenne.org
  • 0.0.0.0 www.cheyenne.org
  • 0.0.0.0 ontrack.com
  • 0.0.0.0 www.ontrack.com
  • 0.0.0.0 ontrack.net
  • 0.0.0.0 www.ontrack.net
  • 0.0.0.0 ontrack.org
  • 0.0.0.0 www.ontrack.org
  • 0.0.0.0 sands.com
  • 0.0.0.0 www.sands.com
  • 0.0.0.0 sands.net
  • 0.0.0.0 www.sands.net
  • 0.0.0.0 sands.org
  • 0.0.0.0 www.sands.org
  • 0.0.0.0 sophos.com
  • 0.0.0.0 www.sophos.com
  • 0.0.0.0 sophos.net
  • 0.0.0.0 www.sophos.net
  • 0.0.0.0 sophos.org
  • 0.0.0.0 www.sophos.org
  • 0.0.0.0 icubed.com
  • 0.0.0.0 www.icubed.com
  • 0.0.0.0 icubed.net
  • 0.0.0.0 www.icubed.net
  • 0.0.0.0 icubed.org
  • 0.0.0.0 www.icubed.org
  • 0.0.0.0 perantivirus.com
  • 0.0.0.0 www.perantivirus.com
  • 0.0.0.0 perantivirus.net
  • 0.0.0.0 www.perantivirus.net
  • 0.0.0.0 perantivirus.org
  • 0.0.0.0 www.perantivirus.org
  • 0.0.0.0 castlecops.com
  • 0.0.0.0 www.castlecops.com
  • 0.0.0.0 castlecops.net
  • 0.0.0.0 www.castlecops.net
  • 0.0.0.0 castlecops.org
  • 0.0.0.0 www.castlecops.org
  • 0.0.0.0 virustotal.com
  • 0.0.0.0 www.virustotal.com
  • 0.0.0.0 virustotal.net
  • 0.0.0.0 www.virustotal.net
  • 0.0.0.0 virustotal.org
  • 0.0.0.0 www.virustotal.org
  • 0.0.0.0 free-av.com
  • 0.0.0.0 www.free-av.com
  • 0.0.0.0 free-av.net
  • 0.0.0.0 www.free-av.net
  • 0.0.0.0 free-av.org
  • 0.0.0.0 www.free-av.org
  • 0.0.0.0 antivirus.com
  • 0.0.0.0 www.antivirus.com
  • 0.0.0.0 antivirus.net
  • 0.0.0.0 www.antivirus.net
  • 0.0.0.0 antivirus.org
  • 0.0.0.0 www.antivirus.org
  • 0.0.0.0 anti-virus.com
  • 0.0.0.0 www.anti-virus.com
  • 0.0.0.0 anti-virus.net
  • 0.0.0.0 www.anti-virus.net
  • 0.0.0.0 anti-virus.org
  • 0.0.0.0 www.anti-virus.org
  • 0.0.0.0 ca.com
  • 0.0.0.0 www.ca.com
  • 0.0.0.0 ca.net
  • 0.0.0.0 www.ca.net
  • 0.0.0.0 ca.org
  • 0.0.0.0 www.ca.org
  • 0.0.0.0 fajarweb.com
  • 0.0.0.0 www.fajarweb.com
  • 0.0.0.0 fajarweb.net
  • 0.0.0.0 www.fajarweb.net
  • 0.0.0.0 fajarweb.org
  • 0.0.0.0 www.fajarweb.org
  • 0.0.0.0 backup.grisoft.com
  • 0.0.0.0 www.backup.grisoft.com
  • 0.0.0.0 backup.grisoft.net
  • 0.0.0.0 www.backup.grisoft.net
  • 0.0.0.0 backup.grisoft.org
  • 0.0.0.0 www.backup.grisoft.org
  • 0.0.0.0 comodo.com
  • 0.0.0.0 www.comodo.com
  • 0.0.0.0 antivirus.comodo.com
  • 0.0.0.0 www.antivirus.comodo.com
  • 0.0.0.0 zonealarm.com
  • 0.0.0.0 www.zonealarm.com
  • 0.0.0.0 agnitum.ru
  • 0.0.0.0 www.agnitum.ru

This way the trojan blocks access to specific websites.


The trojan hides

  • files
  • processes

which contain one of the following strings in their name:

  • services
  • SERVISES

The trojan hides Registry entries which contain one of the following strings in their name:

  • runservices

The trojan opens a random TCP port.


The trojan can download and execute a file from the Internet. The trojan contains an URL address.

Please enable Javascript to ensure correct displaying of this content and refresh this page.