Home / malwarePDF  

TrojanProxy:Win32/Cahecon.A


First posted on 22 April 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanProxy:Win32/Cahecon.A.

Explanation :

Threat behavior

Installation

TrojanProxy:Win32/Cahecon.A drops a malicious proxy script file that can redirect your browser traffic through an attacker-controlled proxy server.

It can be installed on your PC when you visit a website asking you to install a fake Flash Player.

We have seen it downloaded with the following file names:

  • FlashPlayer11_install.exe
  • FlashPlayer12_install.exe


When run, the trojan installs and runs the following files:

  • %TEMP% \install.cpl
  • %TEMP% \.bat


It will then drop the following files:

  • %TEMP% \.txt
  • %TEMP% \send.vbs
  • %TEMP% \prefs.js


The trojan modifies the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: UACDisableNotify
With data: 1

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: EnableLUA
With data: 0

In subkey: HKLM\SOFTWARE\Policies\Microsoft\internet explorer\control panel
Sets value: advancedtab
With data: 1

In subkey: HKCU\Software\Policies\Microsoft\internet explorer\control panel
Sets value: advancedtab
With data: 1

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\systemrestore
Sets value: DisableSR
With data: 1

TrojanProxy:Win32/Cahecon.A can also contact the following server via HTTP POST to report the infection:

  • http://uol.conhecaauol.com.br/black/?


Payload

Steals your personal information

TrojanProxy:Win32/Cahecon.A installs TrojanProxy:JS/Cahecon.A as a proxy auto-config file by modifying the following registry entries:

In subkey: HKCU\software\microsoft\windows\currentversion\internet settings
Sets value: autoconfigurl
With data: file://%temp%\.txt

In subkey: HKLM\software\microsoft\windows\currentversion\internet settings
Sets value: autoconfigurl
With data: file://%temp%\.txt

Once this file is installed any website you visit will be processed by the proxy script file (detected as TrojanProxy:JS/Cahecon.A). This can give a malicious hacker access to your personal information.



Analysis by Jonathan San Jose

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    %TEMP%\install.cpl
    %TEMP%\.bat
    %TEMP%\.txt
    %TEMP%\send.vbs
    %TEMP%\prefs.js
  • You see these entries or keys in your registry:


    In subkey: HKLM\SOFTWARE\Microsoft\Security Center
    Sets value: UACDisableNotify
    With data: 1

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    Sets value: EnableLUA
    With data: 0

    In subkey: HKLM\SOFTWARE\Policies\Microsoft\internet explorer\control panel
    Sets value: advancedtab
    With data: 1

    In subkey: HKCU\Software\Policies\Microsoft\internet explorer\control panel
    Sets value: advancedtab
    With data: 1

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\systemrestore
    Sets value: DisableSR
    With data: 1



    In subkey: HKCU\software\microsoft\windows\currentversion\internet settings
    Sets value: autoconfigurl
    With data: file://%temp%\.txt

    In subkey: HKLM\software\microsoft\windows\currentversion\internet settings
    Sets value: autoconfigurl
    With data: file://%temp%\.txt





Last update 22 April 2014

 

TOP

Malware :

Family: