Internet Security Threats

Trojan-Proxy.Win32.Agent.x

RISK LEVEL:2

This Trojan launches a proxy server on the victim machine without the knowledgeor consent of the user. It is a Windows PE EXE file. The file is approximately17KB in size. It is packed using PECompact. The unpacked file is approximately30KB in size.

Installation

When launched, the Trojan creates the following folder:

%Documents and Settings%\Application Data\Microsoft\sr64

It then copies its executable file to this folder under a random name whichis made up of capital letters and an .exe extension.

The Trojan also adds a link to its executable file in the system registry,ensuring that the Trojan will be launched when Windows is rebooted on the victimmachine:

The Trojan also extracts the following file from its body:

• %Documents and Settings%\Application Data\Microsoft\sr64\sr32.dll— this file is 7,168 bytes in size.

The Trojan launches an HTTP proxy server on TCP port 3380 and a SOCKS proxyservier on TCP port 3382.

It then sends the version of the operating system, the IP address of the victimmachine, and the numbers of open ports to the remote malicious user's site.

The DLL file dropped by the Trojan masks the presence of files on the harddisk and registry keys which contain the substring "sr64" in their names.

If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram:

1. Use Task Manager to terminate the Trojan process.
2. Delete the following folder and its contents

   Documents and Settings%\Application Data\Microsoft\sr64

3. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "sr64" = "<path and name of Trojan executable file>"
4. Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).