Home / malwarePDF  

TrojanProxy:Win32/Tinxy.A


First posted on 18 June 2009.
Source: SecurityHome

Aliases :

TrojanProxy:Win32/Tinxy.A is also known as Also Known As:Win-Trojan/Proxy.9472 (AhnLab), Trojan-Downloader.Win32.Agent.alvk (Kaspersky), W32/Agent.JBSK (Norman), Win32/TrojanProxy.Small.NCG (ESET).

Explanation :

TrojanProxy:Win32/Tinxy.A is a trojan that creates a proxy on an affected machine. Proxy servers may be used by attackers in order to hide the origin of malicious activity.

Symptoms
System changesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:
    • Adds value: "ProxyServer"
    With data: "http=127.0.0.1:8383"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
    where <port number> is the port being used by Tinxy for the proxy.

    Adds value: "ProxyEnable"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings

    TrojanProxy:Win32/Tinxy.A is a trojan that creates a proxy on an affected machine.

    Installation
    TrojanProxy:Win32/Tinxy.A installs itself as a Windows service on the affected machine. The service name may vary, but we have observed the following names being used in the wild, for example:
  • Service Bonjour(Bonjour Service)
  • Cisco Systems, Inc. VPN Service(CVPND)


    • Payload
    Establishes proxy
    TrojanProxy:Win32/Tinxy.A establishes a proxy on TCP port 8383, which it uses to redirect the affected user's web browser. TrojanProxy:Win32/Tinxy.A may redirect an affected user's web browser when they attempt to access certain domains. These domains may vary, but we have observed the following domains being targeted in the wild, for example: www.search.live.*
    search.live.*
    www.search.msn.*
    search.msn.*
    www.search.yahoo.*
    search.yahoo.*
    www.google.*
    google.*
    Modifies system settings
    TrojanProxy:Win32/Tinxy.A makes a number of modifications to an affected system to enable it to operate.

    On systems running Internet Explorer, it makes the following registry modifications:
    Adds value: "ProxyServer"
    With data: "http=127.0.0.1:8383"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
    where <port number> is the port being used by Tinxy for the proxy.

    Adds value: "ProxyEnable"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings

    On systems using Firefox, it appends the following lines to Firefox's configuration file prefs.js:

    user_pref("network.proxy.http", "127.0.0.1");
    user_pref("network.proxy.http_port", 8383);
    user_pref("network.proxy.type", 1). Terminates processesTrojanProxy:Win32/Tinxy.A attempts to terminate all running Firefox processes to make sure the modified settings take effect.

    Analysis by Chun Feng

    Last update 18 June 2009

     

    TOP

    Malware :

    Family: