Proxy-Regate

This is a proxy server trojan, designed to turn an infected system into an email spam relay.  The trojan opens two random IP ports and sends infection notification to the author.

When the trojan is run, it copies itself to the WINDOWS SYSTEM (%SysDir%) directory as syscpy.exe. A registry run key is created to load the trojan at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Syscpy" = C:\WINNT\System32\syscpy.exe

The trojan contacts two anti-spam web sites to verify that the IP address of the infected system has not been blacklisted on abust.net or spamcop.net .  Presumably noting that the IP address of the infected system has been blacklisted if/when this is the case.

A random TCP port and a random UDP port is opened.  Information/notification is posted to a page on a remote website (note: several variants have been discovered, this is a partial list and new variants will likely use other sites)

• spreadeaglehos.com
• 66.28.101.143
• www.viewthissite.com

Information sent to the page was likely entered into a database for future spam use.  A remote attacker must send the appropriate packets to infected systems in order to expoit them.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations