Content
Proxy-Migmaf
- Type
- Malware
- SubType
- Win32
- Discovery Date
- 07/11/2003
- Length
- 46,080 bytes (packed)
- Minimum DAT
- 4277 (07/16/2003)
- Updated DAT
- 4277 (07/16/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 07/11/2003
- Description Modified
- 07/17/2003 8:56 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update July 11, 2003 --
This threat was updated to a Low-Profiled risk due to media attention at: http://news.com.com/2100-12_3-1024967.html
This is not an email virus. This detection is for a trojan that acts as a reverse proxy on the victim machine, redirecting HTTP requests to a remote web server.
Multiple versions of this threat are known to exist. Those received by AVERT have been packed with tElock. Users are recommended to use the 4.2.60 engine (Windows) or 4.2.40 engine (other platforms) for optimal detection.
By routing HTTP requests through the reverse proxy running on victim machines, the hacker is able to mask the genuine source IP of the web server hosting the web content (typically pornographic).
Upon execution, the trojan creates a mutex of name:
REQUEST_MANAGE_SUBSYSTEMThe trojan checks the keyboard layout of the victim machine in order to stop it functioning on Russian machines (those with Russian keyboard configuration at least). Values with the following key are used to determine the layout(s):
HKEY_CURRENT_USER\Keyboard Layout\PreloadThe trojan does not copy itself on the victim machine, but merely adds the following Registry hook pointing to the file that was executed:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"Login Service" = (points to the file executed)
After a short sleep, the trojan attempts to access the following site:
www.microsoft.comSubsequently, (garbage) data is sent to this site (port 80) as a means of testing available bandwidth. A disclaimer in the body of the trojan highlights this:
disclaimer: www.microsoft.com used for bandwidth speed testing onlyIn order to help prevent identification of the server which genuinely hosts the web content, the trojan does not connect directly to the relevant IP. Instead, it cycles through various A.B.C.D combinations, constructed by varying each octet between certain values:
| A | B | C | D |
|---|---|---|---|
| 78 | 12 | 55 | 61 |
| 209 | 128 | 211 | 187 |
| 216 | 164 | 216 | 210 |
Symptoms
- existence of the Registry key described above
- unexpected traffic to remote servers (destination port 80, HTTP)
Method of Infection
The trojan requires execution on the victim machine in order for the reverse proxy server to be installed. Once running, HTTP requests are routed through the victim machine, hiding the IP address of the server hosting the web content.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
Characteristics
Characteristics -
-- Update July 11, 2003 --
This threat was updated to a Low-Profiled risk due to media attention at: http://news.com.com/2100-12_3-1024967.html
This is not an email virus. This detection is for a trojan that acts as a reverse proxy on the victim machine, redirecting HTTP requests to a remote web server.
Multiple versions of this threat are known to exist. Those received by AVERT have been packed with tElock. Users are recommended to use the 4.2.60 engine (Windows) or 4.2.40 engine (other platforms) for optimal detection.
By routing HTTP requests through the reverse proxy running on victim machines, the hacker is able to mask the genuine source IP of the web server hosting the web content (typically pornographic).
Upon execution, the trojan creates a mutex of name:
REQUEST_MANAGE_SUBSYSTEMThe trojan checks the keyboard layout of the victim machine in order to stop it functioning on Russian machines (those with Russian keyboard configuration at least). Values with the following key are used to determine the layout(s):
HKEY_CURRENT_USER\Keyboard Layout\PreloadThe trojan does not copy itself on the victim machine, but merely adds the following Registry hook pointing to the file that was executed:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"Login Service" = (points to the file executed)
After a short sleep, the trojan attempts to access the following site:
www.microsoft.comSubsequently, (garbage) data is sent to this site (port 80) as a means of testing available bandwidth. A disclaimer in the body of the trojan highlights this:
disclaimer: www.microsoft.com used for bandwidth speed testing onlyIn order to help prevent identification of the server which genuinely hosts the web content, the trojan does not connect directly to the relevant IP. Instead, it cycles through various A.B.C.D combinations, constructed by varying each octet between certain values:
| A | B | C | D |
|---|---|---|---|
| 78 | 12 | 55 | 61 |
| 209 | 128 | 211 | 187 |
| 216 | 164 | 216 | 210 |
Symptoms
Symptoms -
- existence of the Registry key described above
- unexpected traffic to remote servers (destination port 80, HTTP)
Method of Infection
Method of Infection -
The trojan requires execution on the victim machine in order for the reverse proxy server to be installed. Once running, HTTP requests are routed through the victim machine, hiding the IP address of the server hosting the web content.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
