Home / malwarePDF  

TrojanProxy:Win32/Pramro.F


First posted on 12 March 2010.
Source: SecurityHome

Aliases :

TrojanProxy:Win32/Pramro.F is also known as Backdoor.Win32.Mazben.ah (Kaspersky), W32/Horst.gen33 (Norman), Win32/Maazben!generic (CA), Generic Proxy!r (McAfee), Mal/TinyDL-T (Sophos).

Explanation :

TrojanProxy:Win32/Pramro.F is a trojan that creates a proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity. In this case, this proxy may be used to relay spam and HTTP traffic. In the wild TrojanProxy:Win32/Pramro.F has been observed to be associated with the Win32/Sality malware family.
Top

TrojanProxy:Win32/Pramro.F is a trojan that creates a proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity. In this case, this proxy may be used to relay spam and HTTP traffic. In the wild TrojanProxy:Win32/Pramro.F has been observed to be associated with the Win32/Sality malware family. InstallationTrojanProxy:Win32/Pramro.F runs from where it is executed. It creates the mutex "qiwuyeiu2983" to avoid running multiple instances of itself. Payload Modifies security settingsTrojanProxy:Win32/Pramro.F adds itself to the Windows Firewall exclusion list by modifying the following registry entry: Sets value: "<malware>"
With data: "<path to malware executable>:*:enabled:ipsec"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Creates SOCKS proxyTrojanProxy:Win32/Pramro.F may initially contact the following sites (possibly to test its functionality): c.mx.mail.yahoo.com
d.mx.mail.yahoo.com
imx1.rambler.r
maila.microsoft.com
mailin-01.mx.aol.com
mailin-02.mx.aol.com
mailin-03.mx.aol.com
mailin-04.mx.aol.com
mx1.yandex.ru
mx2.yandex.ru
mxs.mail.ru The trojan then makes several HTTP GET requests to the following Web sites:
212.117.175.9
212.117.185.10 TrojanProxy:Win32/Pramro.F opens and listens on a random TCP port between 1179 and 11,178 (inclusive) except ports 6665, 6666, and 6667. It may then be used to relay spam e-mail or HTTP traffic.

Analysis by Jireh Sanico

Last update 12 March 2010

 

TOP