Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Trojan-ProxyServer.Agent Analysis Report
Threat Submitted On: 5/31/2007 7:14:00 AM
Threat Analysed On: 5/31/2007 12:14:00 PM
Threat Updated On: 1/27/2011 10:44:37 AM
Type : Trojan-ProxyServer
Symptoms of Agent
  • Attackers can remotely access the user’s machine.
  • Can be sent to the system with Trojan packs.
  • Poses security threats.
Information
Alias : Trojan-ProxyServer.Agent.mh
Md5 Hash : [36f6df0a7a9fc5d308b69d39f300bc8d]
File Size : (30720 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: msvcrt64.dll
Path : %windir%\system32

Md5Hash :ee2b7f12ff83df888d2b7cba363a36ba ( 20480 bytes)
File: upg_pb_10.exe
Path : %windir%\system32

Md5Hash :d79ac9625be0bc0343816b4402208ab1 ( bytes)
File: twain_32.exe
Path : %windir%

Md5Hash :a9278debf8fbc4b7ce8b767ff0c973c1 ( 14848 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
36f6df0a7a9fc5d308b69d39f300bc8d ( 30720 bytes)
a9278debf8fbc4b7ce8b767ff0c973c1 ( 14848 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
PBCOMPID = "cwsandboxekta/spyeraser"
|__ Value Added :
PBID = "8a373683-082e-42bb-b68c-6f030276c520"
|__ Value Added :
PBOSVersion = "win xp / service pack 2"
|__ Value Added :
PBPRIMARYHOST = "http://208.66.195.89:1161/proxy/gate-temp.php"
|__ Value Added :
PBPROXYMODULEPATH = "/proxy/proxy2005.dll"
|__ Value Added :
PBRunFrom = "%windir%\system32\upg_pb_10.exe"
|__ Value Added :
PBSCRIPTPATH = "/proxy/gate-temp.php"
|__ Value Added :
PBSECONDARYHOST1 = "http://proxy.fraudcrew.com:1161/proxy/gate-temp.php"
|__ Value Added :
PBSECONDARYHOST2 = "http://hot50babes.com/proxy/gate-temp.php"
|__ Value Added :
PBSECONDARYHOST3 = "http://proxyservice2005.com/proxy/gate-temp.php"
|__ Value Added :
inctrl5 = "%windir%\twain_32.exe"
|__ Value Added :
MSN Gaming Zone = "%windir%\vmmreg32.exe"
Creates the following child process(s) on execution:

%windir%\system32\upg_pb_10.exe

%windir%\explorer.exe

services.exe

Tries to Download Files from the following links :-

http://208.66.195.89:1161/proxy/proxy2005.dll

http://proxy.fraudcrew.com:1161/proxy/proxy2005.dll

http://hot50babes.com/proxy/proxy2005.dll

http://proxyservice2005.com/proxy/proxy2005.dll

Creates the Following MUTEX(s) on user's System:-
shell.cmrupidllist
raspbfile
ctf.lbes.mutexdefaults-1-5-21-1614895754-1788223648-839522115-1005
ctf.compart.mutexdefaults-1-5-21-1614895754-1788223648-839522115-1005
ctf.asm.mutexdefaults-1-5-21-1614895754-1788223648-839522115-1005
ctf.layouts.mutexdefaults-1-5-21-1614895754-1788223648-839522115-1005
ctf.tmd.mutexdefaults-1-5-21-1614895754-1788223648-839522115-1005
_!shmsfthistory!_
msvcrt-64a87h8-4gf3-642d-g13e-777b908c213d
Tries To Connect to The Following Urls:-
Tries To Connect's to the following IP Address(s) through UDP(User DataGram Protocal) :-

NOTE:

1. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
2. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.