Home / malwarePDF  

Trojan:Win32/Puvbed.B


First posted on 14 December 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Puvbed.B is also known as Win32/TrojanProxy.Wintu.B (ESET), Trojan.Win32.Vilsel.nvn (Kaspersky).

Explanation :

Trojan:Win32/Puvbed.B is a Win32, UPX-packed, 19,456 byte malicious executable which sets itself to run on every system start up and acts as an unauthorized proxy.
Top

Trojan:Win32/Puvbed.B is a Win32, UPX-packed, 19,456 byte malicious executable which sets itself to run on every system start up and acts as an unauthorized proxy.

Installation
Upon execution, Trojan:Win32/Puvbed.B copies itself to c:\lsass.exe. It deletes every key found in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" and then adds the following entry: To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "<random decimal number>"
With data: "<full path to malware executable>" This executes the trojan at each Windows start, and ensures that the Run key referencing the trojan is different every time it executes.

Payload
Acts as unauthorized proxyThe trojan sets the following registry entry: To subkey: HKCU\Software\Microsoft\Internet Explorer\Main\Adds value: "DHCP"With data: "" and attempts to utilize Squid proxies trying to connect and listen on port 3128 at various Internet addresses. By doing so the trojan attempts to receive and send data, thus acting as a proxy for malicious purposes. For control purposes the trojan also opens and listens on TCP/IP port 23002.

Analysis by Oleg Petrovsky

Last update 14 December 2009

 

TOP