Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4314 (2004-01-14) Updated DAT4661 (2005-12-28) |
Minimum Engine
5.1.00 File Length33,290 bytes
|
Description Added
2004-01-09 Description Modified2004-02-12 |
Malware Proliferation
Characteristics
-- Update February 12th 2004 --
A new variant of Proxy-MitGlieder was received, which is intended to propagate via the backdoor installed by W32/Mydoom.a@MM and W32/Mydoom.b@MM . This variant is 10,240 bytes in size, and is UPX packed. It is detected as:
- Proxy-MitGlieder variant by McAfee products running the 4317 DATs or greater.
- Exploit-Mydoom by McAfee gateway products running the 4323 DATs.
--
This is a detection for a backdoor trojan that also tries to download further malicious files. There are multiple versions of this trojan proxy - the details below are specific to one such variant. Exact details such as filename, Registry key name, filesize etc will vary.
After execution, it copies itself to %windir%\system32 folder and creates a registry key in order to get executed on systemboot.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\
Run "ssgrate.exe" = C:\WINNT\System32\system.exe
It monitors the process list and tries to termintate programs with these names:
- ATUPDATER.EXE
- AVWUPD32.EXE
- AVPUPD.EXE
- LUALL.EXE
- DRWEBUPW.EXE
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- UPDATE.EXE
- NUPGRADE.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVXQUAR.EXE
- CFIAUDIT.EXE
- MCUPDATE.EXE
- NUPGRADE.EXE
TCP connections are established to different Webservers:
- http://www.block-investment.de/[blocked]/nro4.php
- http://www.gasterixx.de/[blocked]/nro4.php
- http://www.deadlygames.de/[blocked]/nro4.php
- http://www.o-problemo.de/[blocked]/nro4.php
- http://www.tv87.de/[blocked]/nro4.php
- http://www.ranknet.de/[blocked]/nro4.php
- http://www.remix-world.de/[blocked]/nro4.php
- http://www.joerrens.de/[blocked]/nro4.php
- http://www.bbszene.de/[blocked]/nro4.php
- http://www.nikofor.com/[blocked].php
- http://www.dyna-maik.de/[blocked]/nro4.php
- http://www.werk3.de/[blocked]/nro4.php
- http://www.gebr-wachs.de/[blocked]/nro4.php
- http://www.rgs-rostock.de/[blocked]/nro4.php
- http://www.lords-of-havoc.de/[blocked]/nro4.php
It opens TCP port 39999 on the infected machine and may received commands from an attacker.
One version of this trojan attempted to download a file from the following webservers:
- http://www.rgs-rostock.de/[blocked]/x.exe
- http://www.gebr-wachs.de/[blocked]/x.exe
- http://www.lords-of-havoc.de/[blocked]/x.exe
This file get written to %WinDir% and is named 'SAGEBOX.EXE'. Its a new variant of a Password Stealing trojan and is detected with the 4314DAT files, or higher, as PWS-LDPinch .
Symptoms
- Existance of registry keys and files as mentioned above
- Outgoing network traffic to multiple webservers
- TCP39999 open on local machine
Method of Infection
Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.
However, a recent variant of this proxy malware was modified to incorporate propagation through the backdoor opened on machines infected with W32/Mydoom.a@MM and W32/Mydoom.b@MM .
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants