Home / malware Trojan:Win32/Dugenpal.A
First posted on 29 November 2011.
Source: SecurityHomeAliases :
Trojan:Win32/Dugenpal.A is also known as Trojan.Cossta!7jRZ1tRMQvU (VirusBuster), Proxy.ANJS (AVG), Win32/TrojanProxy.Wintu.B (ESET), Trojan.Win32.Dugenpal (Ikarus).
Explanation :
Trojan:Win32/Dugenpal.A is a trojan that functions as an unauthorized proxy by connecting to various IP addresses via certain ports.
Top
Trojan:Win32/Dugenpal.A is a trojan that functions as an unauthorized proxy by connecting to various IP addresses via certain ports.
Installation
Upon execution, Trojan:Win32/Dugenpal.A drops itself as the following file:
%AppData%\engel\updates.exe
It makes the following changes to the registry to ensure that its copy executes at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "engel"
With data: "%AppData%\updates\updates.exe"
It also creates the following registry entry as part of its installation routine:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main\
Sets value: "DHCP"
With data: "1272822"
Payload
Disables Windows Firewall
This trojan modifies registry data to disable Windows firewall.
In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: 0
Acts as an unauthorized proxy
Trojan:Win32/Dugenpal.A attempts to utilize proxies to connect and listen to various addresses via port 3128. By doing so, it attempts to receive and send data, thus acting as a proxy for malicious purposes. It also listens to port 24345 for commands from a remote attacker.
Analysis by Jim Wang
Last update 29 November 2011
