Home / malware Trojan:Win32/Waprox
First posted on 18 July 2012.
Source: MicrosoftAliases :
Trojan:Win32/Waprox is also known as Gen:Variant.Zusy.Elzob.2492 (BitDefender), Mal/Cleaman-B (Sophos).
Explanation :
Trojan:Win32/Waprox is a trojan that connects to certain servers to receive commands from a remote attacker.
Installation
Trojan:Win32/Waprox may come in either an EXE or DLL form. When run, it drops and loads a copy of itself with either of the following formats:
- %CommonProgramFiles%\<malware file name>\<malware file name>.exe
- %CommonProgramFiles%\<malware file name>\<malware file name>.dll
where <malware file name> is constructed by concatenating and/or substituting strings from service names in your computer, for example:
For a service named "Microsoft Url History Service", Microsoft becomes MS. The resulting malware file name is then "MSUrlHistoryService.exe" or "MSUrlHistoryService.dll".
Trojan:Win32/Waprox creates the following registry entries so that it automatically runs every time Windows starts:
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: ""%CommonProgramFiles%\<malware file name>\<malware file name>.exe" /<random parameter>" or "rundll32.exe "%CommonProgramFiles%\<malware file name>\<malware file name>.dll",<random parameter>"
For example:
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "MSUrlHistoryService"
With data: ""%CommonProgramFiles%\MSUrlHistoryService\MSUrlHistoryService.exe" /<random parameter>" or "rundll32.exe "%CommonProgramFiles%\MSUrlHistoryService\MSUrlHistoryService.dll", <random_parameter>"
Payload
connects to a remote server
Trojan:Win32/Waprox connects to the following servers using either port 80 or 2222 to receive instructions from a remote attacker:
- 84.84.80.47:11825
- dance001-tst.net
- dance001-tst.org
- hungrypiggs.com
- secondfatman.com
Analysis by Edgardo Diaz
Last update 18 July 2012
