Win32/TrojanProxy.Small.NP | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Short description

Win32/TrojanProxy.Small.NP is a trojan that is used for spam distribution. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the: %windir% folder with the following file names:

services.exe

The file is then executed. The trojan deletes the original file.

The following file is dropped into the %system%\drivers\ folder:

beeper.sys (4416 B)

Installs the following system drivers:

beeper.sys

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"runservices" = "%windir%\services.exe"

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\beep]
"ImagePath" = "%system%\DRIVERS\beeper.sys"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Desktop]
"id" = %number%

more...

The variable %number% stands for a variable 12 digit number.

The following Registry entry is set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Associations]
"DefaultFileTypeRisk" = 1807
"ModRiskFileTypes" = ".exe"

This prevents Windows from displaying the Security Warning when launching a file downloaded from the Internet.

Payload information

The trojan can be used for sending spam.

The trojan is sent data and commands from a remote computer or the Internet. The HTTP protocol is used in the communication.

The recipient address is one of the following:

%variable%@hotmail.com
%variable%@yahoo.com
%variable%@aol.com
%variable%@google.com
%variable%@mail.com

A string with variable content is used instead of %variable% .

The SMTP protocol is used.

Other information

The following services are disabled:

wscsvc (Security Center)
sharedaccess (Windows Firewall/Internet Connection Sharing (ICS))

The trojan replaces the following file by one downloaded from the Internet:

%system%\drivers\etc\hosts

It contains the following text:

0.0.0.0 avgate.net
0.0.0.0 ad.doubleclick.net
0.0.0.0 ad.fastclick.net
0.0.0.0 ads.fastclick.net
0.0.0.0 ar.atwola.com

more...

0.0.0.0 avgate.net
0.0.0.0 ad.doubleclick.net
0.0.0.0 ad.fastclick.net
0.0.0.0 ads.fastclick.net
0.0.0.0 ar.atwola.com
0.0.0.0 atdmt.com
0.0.0.0 avp.ch
0.0.0.0 avp.com
0.0.0.0 avp.ru
0.0.0.0 avast.com
0.0.0.0 awaps.net
0.0.0.0 banner.fastclick.net
0.0.0.0 banners.fastclick.net
0.0.0.0 click.atdmt.com
0.0.0.0 clicks.atdmt.com
0.0.0.0 customer.symantec.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 download.mcafee.com
0.0.0.0 download.microsoft.com
0.0.0.0 downloads.microsoft.com
0.0.0.0 downloads1.kaspersky-labs.com
0.0.0.0 downloads2.kaspersky-labs.com
0.0.0.0 downloads3.kaspersky-labs.com
0.0.0.0 downloads4.kaspersky-labs.com
0.0.0.0 engine.awaps.net
0.0.0.0 fastclick.net
0.0.0.0 f-secure.com
0.0.0.0 ftp.f-secure.com
0.0.0.0 ftp.sophos.com
0.0.0.0 ftp://downloads1.kaspersky-labs.com/updates/
0.0.0.0 ftp://avp.ch/updates/
0.0.0.0 ftp://ftp.kasperskylab.ru/updates/
0.0.0.0 ftp://updates3.kaspersky-labs.com/updates/
0.0.0.0 go.microsoft.com
0.0.0.0 http://updates1.kaspersky-labs.com/updates/
0.0.0.0 http://updates2.kaspersky-labs.com/updates/
0.0.0.0 http://updates3.kaspersky-labs.com/updates/
0.0.0.0 http://updates4.kaspersky-labs.com/updates/
0.0.0.0 http://updates5.kaspersky-labs.com/updates/
0.0.0.0 http://www.kaspersky.ru/updates/
0.0.0.0 http://www.kaspersky-labs.com/updates/
0.0.0.0 ids.kaspersky-labs.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 mast.mcafee.com
0.0.0.0 media.fastclick.net
0.0.0.0 msdn.microsoft.com
0.0.0.0 my-etrust.com
0.0.0.0 networkassociates.com
0.0.0.0 office.microsoft.com
0.0.0.0 phx.corporate-ir.net
0.0.0.0 rads.mcafee.com
0.0.0.0 secure.nai.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 servicel.symantec.com
0.0.0.0 spd.atdmt.com
0.0.0.0 support.microsoft.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 vil.nai.com
0.0.0.0 viruslist.com
0.0.0.0 viruslist.ru
0.0.0.0 windowsupdate.microsoft.com
0.0.0.0 www.avp.ch
0.0.0.0 www.avp.com
0.0.0.0 www.avp.ru
0.0.0.0 www.avast.com
0.0.0.0 www.awaps.net
0.0.0.0 www.fastclick.net
0.0.0.0 www.f-secure.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.kaspersky.ru
0.0.0.0 www.my-etrust.com
0.0.0.0 www.networkassociates.com
0.0.0.0 www.viruslist.com
0.0.0.0 www.viruslist.ru
0.0.0.0 jotti.org
0.0.0.0 www.jotti.org
0.0.0.0 drweb.ru
0.0.0.0 www.drweb.ru
0.0.0.0 drweb.com
0.0.0.0 www.drweb.com
0.0.0.0 eset.com
0.0.0.0 www.eset.com
0.0.0.0 avira.com
0.0.0.0 www.avira.com
0.0.0.0 avira.de
0.0.0.0 www.avira.de
0.0.0.0 mcafee.com
0.0.0.0 www.mcafee.com
0.0.0.0 mcafee.net
0.0.0.0 www.mcafee.net
0.0.0.0 mcafee.org
0.0.0.0 www.mcafee.org
0.0.0.0 mcafeesecurity.com
0.0.0.0 www.mcafeesecurity.com
0.0.0.0 mcafeesecurity.net
0.0.0.0 www.mcafeesecurity.net
0.0.0.0 mcafeesecurity.org
0.0.0.0 www.mcafeesecurity.org
0.0.0.0 mcafeeb2b.com
0.0.0.0 www.mcafeeb2b.com
0.0.0.0 mcafeeb2b.net
0.0.0.0 www.mcafeeb2b.net
0.0.0.0 mcafeeb2b.org
0.0.0.0 www.mcafeeb2b.org
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 nai.net
0.0.0.0 www.nai.net
0.0.0.0 nai.org
0.0.0.0 www.nai.org
0.0.0.0 vil.nai.com
0.0.0.0 www.vil.nai.com
0.0.0.0 vil.nai.net
0.0.0.0 www.vil.nai.net
0.0.0.0 vil.nai.org
0.0.0.0 www.vil.nai.org
0.0.0.0 grisoft.com
0.0.0.0 www.grisoft.com
0.0.0.0 grisoft.net
0.0.0.0 www.grisoft.net
0.0.0.0 grisoft.org
0.0.0.0 www.grisoft.org
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.kaspersky-labs.com
0.0.0.0 kaspersky-labs.net
0.0.0.0 www.kaspersky-labs.net
0.0.0.0 kaspersky-labs.org
0.0.0.0 www.kaspersky-labs.org
0.0.0.0 kaspersky.com
0.0.0.0 www.kaspersky.com
0.0.0.0 kaspersky.net
0.0.0.0 www.kaspersky.net
0.0.0.0 kaspersky.org
0.0.0.0 www.kaspersky.org
0.0.0.0 downloads1.kaspersky-labs.com
0.0.0.0 www.downloads1.kaspersky-labs.com
0.0.0.0 downloads2.kaspersky-labs.com
0.0.0.0 www.downloads2.kaspersky-labs.com
0.0.0.0 downloads3.kaspersky-labs.com
0.0.0.0 www.downloads3.kaspersky-labs.com
0.0.0.0 downloads4.kaspersky-labs.com
0.0.0.0 www.downloads4.kaspersky-labs.com
0.0.0.0 download.mcafee.com
0.0.0.0 www.download.mcafee.com
0.0.0.0 download.mcafee.net
0.0.0.0 www.download.mcafee.net
0.0.0.0 download.mcafee.org
0.0.0.0 www.download.mcafee.org
0.0.0.0 norton.com
0.0.0.0 www.norton.com
0.0.0.0 norton.net
0.0.0.0 www.norton.net
0.0.0.0 norton.org
0.0.0.0 www.norton.org
0.0.0.0 symantec.com
0.0.0.0 www.symantec.com
0.0.0.0 symantec.net
0.0.0.0 www.symantec.net
0.0.0.0 symantec.org
0.0.0.0 www.symantec.org
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 www.liveupdate.symantecliveupdate.com
0.0.0.0 liveupdate.symantecliveupdate.net
0.0.0.0 www.liveupdate.symantecliveupdate.net
0.0.0.0 liveupdate.symantecliveupdate.org
0.0.0.0 www.liveupdate.symantecliveupdate.org
0.0.0.0 liveupdate.symantec.com
0.0.0.0 www.liveupdate.symantec.com
0.0.0.0 liveupdate.symantec.net
0.0.0.0 www.liveupdate.symantec.net
0.0.0.0 liveupdate.symantec.org
0.0.0.0 www.liveupdate.symantec.org
0.0.0.0 update.symantec.com
0.0.0.0 www.update.symantec.com
0.0.0.0 update.symantec.net
0.0.0.0 www.update.symantec.net
0.0.0.0 update.symantec.org
0.0.0.0 www.update.symantec.org
0.0.0.0 securityresponse.symantec.com
0.0.0.0 www.securityresponse.symantec.com
0.0.0.0 securityresponse.symantec.net
0.0.0.0 www.securityresponse.symantec.net
0.0.0.0 securityresponse.symantec.org
0.0.0.0 www.securityresponse.symantec.org
0.0.0.0 sarc.com
0.0.0.0 www.sarc.com
0.0.0.0 sarc.net
0.0.0.0 www.sarc.net
0.0.0.0 sarc.org
0.0.0.0 www.sarc.org
0.0.0.0 vaksin.com
0.0.0.0 www.vaksin.com
0.0.0.0 vaksin.net
0.0.0.0 www.vaksin.net
0.0.0.0 vaksin.org
0.0.0.0 www.vaksin.org
0.0.0.0 forum.vaksin.com
0.0.0.0 www.forum.vaksin.com
0.0.0.0 forum.vaksin.net
0.0.0.0 www.forum.vaksin.net
0.0.0.0 forum.vaksin.org
0.0.0.0 www.forum.vaksin.org
0.0.0.0 norman.com
0.0.0.0 www.norman.com
0.0.0.0 norman.net
0.0.0.0 www.norman.net
0.0.0.0 norman.org
0.0.0.0 www.norman.org
0.0.0.0 trendmicro.com
0.0.0.0 www.trendmicro.com
0.0.0.0 trendmicro.net
0.0.0.0 www.trendmicro.net
0.0.0.0 trendmicro.org
0.0.0.0 www.trendmicro.org
0.0.0.0 trendmicro-europe.com
0.0.0.0 www.trendmicro-europe.com
0.0.0.0 trendmicro-europe.net
0.0.0.0 www.trendmicro-europe.net
0.0.0.0 trendmicro-europe.org
0.0.0.0 www.trendmicro-europe.org
0.0.0.0 ae.trendmicro-europe.com
0.0.0.0 www.ae.trendmicro-europe.com
0.0.0.0 ae.trendmicro-europe.net
0.0.0.0 www.ae.trendmicro-europe.net
0.0.0.0 ae.trendmicro-europe.org
0.0.0.0 www.ae.trendmicro-europe.org
0.0.0.0 it.trendmicro-europe.com
0.0.0.0 www.it.trendmicro-europe.com
0.0.0.0 it.trendmicro-europe.net
0.0.0.0 www.it.trendmicro-europe.net
0.0.0.0 it.trendmicro-europe.org
0.0.0.0 www.it.trendmicro-europe.org
0.0.0.0 secunia.com
0.0.0.0 www.secunia.com
0.0.0.0 secunia.net
0.0.0.0 www.secunia.net
0.0.0.0 secunia.org
0.0.0.0 www.secunia.org
0.0.0.0 winantivirus.com
0.0.0.0 www.winantivirus.com
0.0.0.0 winantivirus.net
0.0.0.0 www.winantivirus.net
0.0.0.0 winantivirus.org
0.0.0.0 www.winantivirus.org
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 pandasoftware.net
0.0.0.0 www.pandasoftware.net
0.0.0.0 pandasoftware.org
0.0.0.0 www.pandasoftware.org
0.0.0.0 esafe.com
0.0.0.0 www.esafe.com
0.0.0.0 esafe.net
0.0.0.0 www.esafe.net
0.0.0.0 esafe.org
0.0.0.0 www.esafe.org
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 f-secure.net
0.0.0.0 www.f-secure.net
0.0.0.0 f-secure.org
0.0.0.0 www.f-secure.org
0.0.0.0 europe.f-secure.com
0.0.0.0 www.europe.f-secure.com
0.0.0.0 europe.f-secure.net
0.0.0.0 www.europe.f-secure.net
0.0.0.0 europe.f-secure.org
0.0.0.0 www.europe.f-secure.org
0.0.0.0 bhs.com
0.0.0.0 www.bhs.com
0.0.0.0 bhs.net
0.0.0.0 www.bhs.net
0.0.0.0 bhs.org
0.0.0.0 www.bhs.org
0.0.0.0 datafellows.com
0.0.0.0 www.datafellows.com
0.0.0.0 datafellows.net
0.0.0.0 www.datafellows.net
0.0.0.0 datafellows.org
0.0.0.0 www.datafellows.org
0.0.0.0 cheyenne.com
0.0.0.0 www.cheyenne.com
0.0.0.0 cheyenne.net
0.0.0.0 www.cheyenne.net
0.0.0.0 cheyenne.org
0.0.0.0 www.cheyenne.org
0.0.0.0 ontrack.com
0.0.0.0 www.ontrack.com
0.0.0.0 ontrack.net
0.0.0.0 www.ontrack.net
0.0.0.0 ontrack.org
0.0.0.0 www.ontrack.org
0.0.0.0 sands.com
0.0.0.0 www.sands.com
0.0.0.0 sands.net
0.0.0.0 www.sands.net
0.0.0.0 sands.org
0.0.0.0 www.sands.org
0.0.0.0 sophos.com
0.0.0.0 www.sophos.com
0.0.0.0 sophos.net
0.0.0.0 www.sophos.net
0.0.0.0 sophos.org
0.0.0.0 www.sophos.org
0.0.0.0 icubed.com
0.0.0.0 www.icubed.com
0.0.0.0 icubed.net
0.0.0.0 www.icubed.net
0.0.0.0 icubed.org
0.0.0.0 www.icubed.org
0.0.0.0 perantivirus.com
0.0.0.0 www.perantivirus.com
0.0.0.0 perantivirus.net
0.0.0.0 www.perantivirus.net
0.0.0.0 perantivirus.org
0.0.0.0 www.perantivirus.org
0.0.0.0 castlecops.com
0.0.0.0 www.castlecops.com
0.0.0.0 castlecops.net
0.0.0.0 www.castlecops.net
0.0.0.0 castlecops.org
0.0.0.0 www.castlecops.org
0.0.0.0 virustotal.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.net
0.0.0.0 www.virustotal.net
0.0.0.0 virustotal.org
0.0.0.0 www.virustotal.org
0.0.0.0 free-av.com
0.0.0.0 www.free-av.com
0.0.0.0 free-av.net
0.0.0.0 www.free-av.net
0.0.0.0 free-av.org
0.0.0.0 www.free-av.org
0.0.0.0 antivirus.com
0.0.0.0 www.antivirus.com
0.0.0.0 antivirus.net
0.0.0.0 www.antivirus.net
0.0.0.0 antivirus.org
0.0.0.0 www.antivirus.org
0.0.0.0 anti-virus.com
0.0.0.0 www.anti-virus.com
0.0.0.0 anti-virus.net
0.0.0.0 www.anti-virus.net
0.0.0.0 anti-virus.org
0.0.0.0 www.anti-virus.org
0.0.0.0 ca.com
0.0.0.0 www.ca.com
0.0.0.0 ca.net
0.0.0.0 www.ca.net
0.0.0.0 ca.org
0.0.0.0 www.ca.org
0.0.0.0 fajarweb.com
0.0.0.0 www.fajarweb.com
0.0.0.0 fajarweb.net
0.0.0.0 www.fajarweb.net
0.0.0.0 fajarweb.org
0.0.0.0 www.fajarweb.org
0.0.0.0 backup.grisoft.com
0.0.0.0 www.backup.grisoft.com
0.0.0.0 backup.grisoft.net
0.0.0.0 www.backup.grisoft.net
0.0.0.0 backup.grisoft.org
0.0.0.0 www.backup.grisoft.org
0.0.0.0 comodo.com
0.0.0.0 www.comodo.com
0.0.0.0 antivirus.comodo.com
0.0.0.0 www.antivirus.comodo.com
0.0.0.0 zonealarm.com
0.0.0.0 www.zonealarm.com
0.0.0.0 agnitum.ru
0.0.0.0 www.agnitum.ru

less...

This way the trojan blocks access to specific websites.

The trojan hides files and processes which contain one of the following strings in their name:

services
SERVISES

The trojan hides Registry entries which contain one of the following strings in their name:

runservices

The trojan opens a random TCP port.

The trojan can download and execute a file from the Internet. The trojan contains an URL address.