Home / malwarePDF  

Trojan-Proxy:W32/Kvadr.gen!A


First posted on 11 April 2009.
Source: SecurityHome

Aliases :

Trojan-Proxy:W32/Kvadr.gen!A is also known as TrojanProxy:Win32/Dosenjo (Microsoft).

Explanation :

This type of trojan allows unauthorized parties to use the infected computer as a proxy server to access the Internet anonymously.

Additional Details
Installation

The trojan-proxy can create a file, as shown below.

• c:Documents and SettingsAll UsersApplication Dataloggy.txt
It will drop the downloaded component to following folders:

• c:Documents and Settings[user]Local SettingsTempcsrss5.dll • c:WINDOWSsystem32csrss5.dll

Where the '5' in the filename stands for OS version.

It will also create a copy of itself at:

• c:Documents and SettingsAll UsersApplication Datacsrss.exe

Activity

While active, the trojan-proxy attempts to connect to the following domains:

• propellero.com • googlestats.ru • alexastats.ru • profeller.ru • google-ana1itics.com • searchmachiner.com
With the following GET request:

• s.html?cachingDeny=f9eolXC8sZY6590K&id=PCWUA99y0qWV3qFo HTTP/1.1

where 'f9eolXC8sZY6590K' is a random string and 'PCWUA99y0qWV3qFo' is a machine ID.

After successfully connecting to one or more of those above mentioned links, it will download an additional component from the link below and start accepting connections on port 80.

• /u.php?cashingDeny=f9eolXC8sZY6590K&id=PCWUA99y0qWV3qFo HTTP/1.1

user-agent: Kvadrlson 1.0

This proxy's activity can be recognized by its user-agent, Kvadrlson 1.0.

It also downloads a new hosts file, affecting a large range of domains, some of which are shown below:

127.0.0.1 go.mail.ru
127.0.0.1 nova.rambler.ru
127.0.0.1 google.ad
127.0.0.1 www.google.ad
127.0.0.1 google.ae
127.0.0.1 www.google.ae
127.0.0.1 google.com.af
127.0.0.1 www.google.com.af
127.0.0.1 google.com.ag
127.0.0.1 www.google.com.ag
127.0.0.1 google.com.ai
127.0.0.1 www.google.com.ai
127.0.0.1 google.am
127.0.0.1 www.google.am
127.0.0.1 google.com.ar
127.0.0.1 www.google.com.ar
127.0.0.1 google.as
127.0.0.1 www.google.as
127.0.0.1 google.at
127.0.0.1 www.google.at
127.0.0.1 google.com.au
127.0.0.1 www.google.com.au
127.0.0.1 www.google.co.uz
127.0.0.1 search.msn.com
127.0.0.1 search.live.com
127.0.0.1 search.msn.com.hk
127.0.0.1 search.prodigy.msn.com
127.0.0.1 cnweb.search.live.com
127.0.0.1 search.msn.co.jp
127.0.0.1 livesearch.msn.co.kr
127.0.0.1 search.msn.com.my
127.0.0.1 search.msn.com.ph
127.0.0.1 search.msn.com.sg
127.0.0.1 search.yahoo.com
127.0.0.1 ca.search.yahoo.com
127.0.0.1 ar.search.yahoo.com
127.0.0.1 cl.search.yahoo.com
127.0.0.1 search.yahoo.co.jp
127.0.0.1 kr.search.yahoo.com
127.0.0.1 malaysia.search.yahoo.com
127.0.0.1 nz.search.yahoo.com
127.0.0.1 images.google.ca
127.0.0.1 images.google.co.uk
127.0.0.1 news.google.com
127.0.0.1 news.google.ca
127.0.0.1 news.google.co.uk
127.0.0.1 video.google.com
127.0.0.1 video.google.ca
127.0.0.1 video.google.co.uk
127.0.0.1 blogsearch.google.com
127.0.0.1 blogsearch.google.ca
127.0.0.1 blogsearch.google.co.uk
127.0.0.1 searchservice.myspace.com
127.0.0.1 search.comcast.net
127.0.0.1 ask.com
127.0.0.1 www.ask.com
127.0.0.1 search.aol.com
127.0.0.1 search.netscape.com
127.0.0.1 my.att.net
127.0.0.1 yandex.ru
127.0.0.1 www.yandex.ru
127.0.0.1 yandex.ua
127.0.0.1 www.yandex.ua
127.0.0.1 baidu.com
127.0.0.1 www.baidu.com
127.0.0.1 shop.ebay.com
127.0.0.1 shop.ebay.co.uk
127.0.0.1 search.ebay.com
127.0.0.1 search.ebay.co.uk
127.0.0.1 motors.shop.ebay.com
127.0.0.1 en.search.wordpress.com
127.0.0.1 en.wikipedia.org
127.0.0.1 search.cnn.com
127.0.0.1 information.com
127.0.0.1 www.information.com
127.0.0.1 search.microsoft.com
127.0.0.1 search.about.com
127.0.0.1 search.icq.com
127.0.0.1 www.icq.com
127.0.0.1 www.verizon.net
127.0.0.1 verizon.net
127.0.0.1 search.lycos.com
127.0.0.1 youporn.com
127.0.0.1 www.youporn.com

Last update 11 April 2009

 

TOP