Home / malwarePDF  

Backdoor:Win32/Tinxy.F


First posted on 11 May 2009.
Source: SecurityHome

Aliases :

Backdoor:Win32/Tinxy.F is also known as Also Known As:Win-Trojan/Agent.31236.H (AhnLab), Trojan-Downloader.Win32.Agent.bhyd (Kaspersky), Trj/Downloader.MDW (Panda).

Explanation :

TrojanProxy:Win32/Tinxy.F is trojan that creates a proxy on an affected machine. Proxy servers may be used by attackers in order to hide the origin of malicious activity.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>drivers
    fr.dll
    <system folder>drivers
    fr.sys
  • The presence of the following registry modifications:
    • Adds value: "ProxyServer"
    With data: "http=localhost:<port number>"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingswhere <port number> is the port being used by Tinxy for the proxy. Adds value: "ProxyEnable"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings

    TrojanProxy:Win32/Tinxy.F is trojan that creates a proxy on an affected machine. Proxy servers may be used by attackers in order to hide the origin of malicious activity.

    Installation
    When executed, TrojanProxy:Win32/Tinxy.F drops the following files (both of which may be detected as VirTool:Win32/Tinxy.A):
  • <system folder>drivers
    fr.dll
  • <system folder>drivers
    fr.sys
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.
    It also drops a batch file (nfr.bat) that is uses to register the dropped DLL as a Windows service, which is started automatically at each Windows start. After that, it attempts to delete the batch file and its original executable.

    Payload
    Establishes ProxyTrojanProxy:Win32/Tinxy.F establishes a proxy on a variable TCP port (e.g. one variant used port 7070). Proxy servers may be used by attackers in order to hide the origin of malicious activity. Win32/Tinxy may redirect an affected user's web browser when they attempt to access certain domains. These domains may vary, but we have observed the following domains being targeted in the wild, for example: www.search.yahoo.*
    www.google.*
    img.youtube.com
    yimg.com
    metacafe.com
    yahooapis.com Modifies System SettingsTrojanProxy:Win32/Tinxy.F makes a number of modifications to an affected system to enable it to operate. On systems running Internet Explorer, it makes the following registry modifications:Adds value: "ProxyServer"
    With data: "http=localhost:<port number>"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingswhere <port number> is the port being used by Tinxy for the proxy. Adds value: "ProxyEnable"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings On systems using Firefox, it appends the following lines to Firefox's configuration file prefs.js: user_pref("network.proxy.http", "localhost");
    user_pref("network.proxy.http_port", <port number>);
    user_pref("network.proxy.type", 1);

    Analysis by Chun Feng

    Last update 11 May 2009

     

    TOP

    Malware :

    Family: