Internet Security Threats

Trojan-Proxy.Win32.Agent.q

RISK LEVEL:2

This Trojan launches a proxy server on the victim machine without the knowledgeor consent of the user. It is a Windows PE EXE file. The file is 28,796 bytesin size. It is not packed in any way.

Installation

When launched, the Trojan will copy its executable file as:

%Program Files%\q~1\svchst32.exe

The original file which was launched is then deleted.

The Trojan also adds a link to its executable file in the system registry,ensuring that the Trojan will be launched when Windows is rebooted on the victimmachine:

The Trojan also creates the following file:

c:\!stealth.txt

The Trojan launches a SOCKS proxy server on the victim machine on a TCP portchosen at random. It then uses a URL request to send the port number to theremote malicious user's site.

The Trojan also attempts to terminate the following processes:

• ZONEALARM.EXE
• WFINDV32.EXE
• WEBSCANX.EXE
• VSSTAT.EXE
• VSHWIN32.EXE
• VSECOMR.EXE
• VSCAN40.EXE
• VETTRAY.EXE
• VET95.EXE
• TDS2-NT.EXE
• TDS2-98.EXE
• TCA.EXE
• TBSCAN.EXE
• SWEEP95.EXE
• SPHINX.EXE
• SMC.EXE
• SERV95.EXE
• SCRSCAN.EXE
• SCANPM.EXE
• SCAN95.EXE
• SCAN32.EXE
• SAFEWEB.EXE
• RESCUE.EXE
• RAV7WIN.EXE
• RAV7.EXE
• PERSFW.EXE
• PCFWALLICON.EXE
• PCCWIN98.EXE
• PAVW.EXE
• PAVSCHED.EXE
• PAVCL.EXE
• PADMIN.EXE
• OUTPOST.EXE
• NVC95.EXE
• NUPGRADE.EXE
• NORMIST.EXE
• NMAIN.EXE
• NISUM.EXE
• NAVWNT.EXE
• NAVW32.EXE
• NAVNT.EXE
• NAVLU32.EXE
• NAVAPW32.EXE
• N32SCANW.EXE
• MPFTRAY.EXE
• MOOLIVE.EXE
• LUALL.EXE
• LOOKOUT.EXE
• LOCKDOWN2000.EXE
• JEDI.EXE
• IOMON98.EXE
• IFACE.EXE
• ICSUPPNT.EXE
• ICSUPP95.EXE
• ICMON.EXE
• ICLOADNT.EXE
• ICLOAD95.EXE
• IBMAVSP.EXE
• IBMASN.EXE
• IAMSERV.EXE
• IAMAPP.EXE
• F-STOPW.EXE
• FRW.EXE
• FP-WIN.EXE
• F-PROT95.EXE
• F-PROT.EXE
• FPROT.EXE
• FINDVIRU.EXE
• F-AGNT95.EXE
• ESPWATCH.EXE
• ESAFE.EXE
• ECENGINE.EXE
• DVP95_0.EXE
• DVP95.EXE
• CLEANER3.EXE
• CLEANER.EXE
• CLAW95CF.EXE
• CLAW95.EXE
• CFINET32.EXE
• CFINET.EXE
• CFIAUDIT.EXE
• CFIADMIN.EXE
• BLACKICE.EXE
• BLACKD.EXE
• AVWUPD32.EXE
• AVWIN95.EXE
• AVSCHED32.EXE
• AVPUPD.EXE
• AVPTC32.EXE
• AVPM.EXE
• AVPDOS32.EXE
• AVPCC.EXE
• AVP32.EXE
• AVP.EXE
• AVNT.EXE
• AVKSERV.EXE
• AVGCTRL.EXE
• AVE32.EXE
• AVCONSOL.EXE
• AUTODOWN.EXE
• APVXDWIN.EXE
• ANTI-TROJAN.EXE
• ACKWIN32.EXE
• _AVPM.EXE
• _AVPCC.EXE
• _AVP32.EXE

The Trojan downloads updates to itself from the remote malicious user’ssite. These updates will be saved under the following name:

c:\progra~1\q~1\upd<number of downloaded file>.exe

It then registers the downloaded file in the system registry autorun key andlaunches them for execution.

If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram:

1. Use Task Manager to terminate the Trojan process.
2. Delete the following folder and its contents:

   %Program Files%\q~1

3. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "bab" = "c:\progra~1\q~1\svchst32.exe"
4. Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).