Home / malwarePDF  

Win32/Pramro


First posted on 15 February 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Pramro.

Explanation :

Win32/Pramro is a trojan that acts as a SOCKS proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity. In this case, this proxy may be used to relay spam and HTTP traffic. In the wild, Win32/Pramro has been observed to be downloaded by variants of the Win32/Sality family.


Top

Win32/Pramro is a trojan that acts as a SOCKS proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity. In this case, this proxy may be used to relay spam and HTTP traffic. In the wild, Win32/Pramro has been observed to be downloaded by variants of the Win32/Sality family.



Installation

Win32/Pramro runs from where it is executed. It may create the mutex "qiwuyeiu2983" to avoid running multiple instances of itself.



Payload

Modifies firewall settings

Win32/Pramro adds itself to the Windows Firewall exclusion list by modifying the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware file name>"
With data: "<path to the malware executable>:*:enabled:ipsec"

Downloads and executes arbitrary files

Variants of Win32/Pramro can be instructed to download and execute arbitrary files. Files are written with random file names to the %TEMP% folder, with the prefix "win", for example:

  • %Temp%\winkfunt.exe
  • %Temp%\winkrulih.exe


Acts as a SOCKS proxy

Win32/Pramro may initially attempt to contact the following hosts via port 25 to test for Internet connectivity.

  • c.mx.m<removed>l.yahoo.com
  • d.mx.m<removed>l.yahoo.com
  • imx1.r<removed>bler.ru
  • maila.<removed>crosoft.com
  • mailin<removed>1.mx.aol.com
  • mailin<removed>2.mx.aol.com
  • mailin<removed>3.mx.aol.com
  • mailin<removed>4.mx.aol.com
  • mx1.ya<removed>ex.ru
  • mx2.ya<removed>ex.ru
  • mxs.ma<removed>.ru


If it is unable to connect to any of these hosts using port 25, a connection to a specific IP address on port 80 is made. The IP address may be one of the following:

  • 216.<removed>.103.3
  • 92.<removed>.119.164
  • 94.<removed>.206.19


Otherwise, it randomly selects an IP address from a hard-coded list and attempts to connect to this IP address via port 80 or 1080. The following are examples of IP addresses that the trojan was observed to communicate with:

  • 193.<removed>.186.32:80
  • 212.<removed>.175.9:80
  • 212.<removed>.185.10:80
  • 50.<removed>.171.18:80
  • 50.<removed>.171.19:80
  • 50.<removed>.219.131:80
  • 85.<removed>.141.72:80
  • 94.<removed>.206.216:80
  • 94.<removed>.218.18:80
  • 94.<removed>.225.131:80
  • 94.<removed>.246.83:1080
  • 66.<removed>.184.134:80


Variants of Win32/Pramro open and listen on a random TCP port between 1179 and 8178 (inclusive), except for ports 6665, 6666, and 6667. Older variants may listen to a random port between 1179 and 11178 (inclusive), with the same exceptions.

Win32/Pramro may then be used to relay spam email or HTTP traffic through the open port.



Analysis by Scott Molenkamp

Last update 15 February 2012

 

TOP

Malware :