Home / malwarePDF  

Trojan.Proxy.Horst.AV


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Proxy.Horst.AV.

Explanation :

- When executed, the malware drops a file named tmp1.tmp in %TEMP% which BitDefender detects as Trojan.Proxy.Horst.AZ, then starts svchost.exe (which is Generic Host Process for Win32 Services a well known Windows process) and writes over the original code of svchost.exe, in memory, its own code.
- Modified svchost.exe does the following:
+ Copies the malware file in %SYSTEMROOT%\System\smss.exe;
+ Adds in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run the value:
* Value Name: .nvsvc
* Value Data: %SYSTEMROOT%\System\smss.exe /w;
+ Copies the file %TEMP%\tmp1.tmp to %SYSTEMROOT%\System32\nvsvcd.exe and executes it with -install
parameter. This will create a service called Windows Log;
+ If the OS is Windows XP Service Pack 2 adds in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List the value:
* Value Name: "C:\WINNT\System32\svchost.exe"
* Value Data: "C:\WINNT\System32\svchost.exe:*:Enabled:Microsoft Update"
with this value set it will be ignored by Windows Firewall when he connects to the internet
+ Tries to stop and delete or disable the following services:
* "wscsvc" Security Center
* "SharedAccess" Windows Firewall/Internet Connection Sharing (ICS)
* "wuauserv" Automatic Updates
* "kavsvc"
* "SAVScan"
* "Symantec Core LC"
* "navapsvc"
+ Deletes from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run the value "KAVPersonal50" so that Kaspersky AV won't start at next reboot;
+ It checks for un updated version of itself at http://rc.rizalof.com/[removed]. If he finds it, it copies it to %TEMP%\smss,exe and executes it.
+ Connects to an IRC server from which it receives links to executable files, which it downloads and executes;

Last update 21 November 2011

 

TOP