Internet Security Threats

Trojan-Proxy.Win32.Agent.v

RISK LEVEL:2

This Trojan launches a proxy server on the victim machine without the knowledgeor consent of the user. It is a Windows PE EXE file. The file is approximately19KB in size. It is packed using PECompact. The unpacked file is approximately50KB in size.

Installation

When launched, the Trojan creates the following folder: %System%\sr64. It then copies its executable file to this folder under a random namewhich is made up of numbers and an .exe extension.

The Trojan also adds a link to its executable file in the system registry,ensuring that the Trojan will be launched when Windows is rebooted on the victimmachine:

The Trojan also extracts the following file from its body:

• %System%\sr64\sr32.dll — this file is 7,168 bytes in size. It will be detected by KasperskyAnti-Virus as Trojan-Proxy.Win32.Agent.x

The Trojan launches an HTTP proxy server on TCP port 1185 and a SOCKS proxyservier on TCP port 1186.

It then sends the version of the operating system, the IP address of the victimmachine, and the numbers of open ports to the remote malicious user's site.

If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram:

1. Use Task Manager to terminate the Trojan process
2. Delete the following folder and its contents:

   %System%\sr64

3. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "sr64" = "<path and name of Trojan executable file>"
4. Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).