SecurityHome.eu Trojan-Proxy:W32/Xorpix.AR

Home / malware PDF

Trojan-Proxy:W32/Xorpix.AR

First posted on 20 June 2007.
Source: SecurityHome
Aliases :
Trojan-Proxy:W32/Xorpix.AR is also known as Trojan-Proxy.Win32.Xorpix.ar.
Explanation :
Trojan-Proxy:W32/Xorpix.AR injects its code to the process WINLOGON.EXE. It then opens Internet Explorer and acts as a proxy server.

Upon execution, the file detected as Trojan-Proxy.Win32.Xorpix.ar will drop DLL files with the following filenames:

bot.dll
dn.dll
partneship.dll

It will then create the following registry entries:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify\%dll_name%reg
DllName "C:Documents and SettingsAll UsersDocumentsSettings\%dll_name%.dll"
Startup "%dll_name%reg"
Impersonate dword:00000001
Asynchronous dword:00000001

Note: %dll_name% represents the filename of the dropped DLL.

Here are the registry entries:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypartnershipreg
DllName "C:Documents and SettingsAll UsersDocumentsSettingspartnership.dll"
Startup "partnershipreg"
Impersonate dword:00000001
Asynchronous dword:00000001
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifynreg
DllName "C:Documents and SettingsAll UsersDocumentsSettingsn.dll"
Startup "bnreg"
Impersonate dword:00000001
Asynchronous dword:00000001
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyotreg
DllName "C:Documents and SettingsAll UsersDocumentsSettingsot.dll"
Startup "botreg"
Impersonate dword:00000001
Asynchronous dword:00000001

Xorpix.AR will then inject its code to the process Winlogon.exe. It then opens an instance of Internet Explorer and uses a random port to act as a proxy server.

Last update 20 June 2007

TOP

Trojan-Proxy:W32/Xorpix.AR

Aliases :

Explanation :

Malware :

Family: