McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Proxy-Thunker.dr

• Win32.Knooth.B (CA)

Characteristics

The 4.1.60 scan engine will detect this threat with the required DAT file.  However, due to DLL injection, the 4.2.40 engine is required for repair to succeed without the necessity of rebooting.

This trojan creates an open Proxy server on the victim's system, which may be used by spammers to anonymously send email through. This server may be created on random IP ports.

A trojan dropper may be created by a VBScript dropper file (possibly named real.hta ). When this script is run a file, msdos.exe or wsysc.exe , is written to the C:\ directory and executed. This .exe file is responsible for dropping a dll file, wthunk32.dll , into the WINDOWS SYSTEM directory (%SysDr%). The following registry key value is created to load this dll at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  ShellServiceObjectDelayLoad "OLE Automation Module" = 3F143C3A-1457-6CCA-03A7-7AA23B61E40F

Other registry entries are created

• HKEY_CURRENT_USER\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}
• HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F

Upon reboot, the wthunk32.dll file is injected into the explorer.exe process. This dll accesses a web page at the IP address 64.246.60.83. The web page returns instructions to the dll, which may be directed to open various IP ports on the infected system, for a remote attacker to exploit.

Note: The .dll file is considered to be the Proxy-Thunker trojan, while the .hta and .exe files that drop the trojan are known as Proxy-Thunker.dr.

Symptoms

• Presence of the file wthunk32.dll in the SYSTEM (ie c:\winnt\system32 or c:\windows\system32) directory
• System listening on unexpected IP ports or relaying SMTP email

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Proxy-Thunker.dr

• Win32.Knooth.B (CA)

Characteristics

Characteristics -

The 4.1.60 scan engine will detect this threat with the required DAT file.  However, due to DLL injection, the 4.2.40 engine is required for repair to succeed without the necessity of rebooting.

This trojan creates an open Proxy server on the victim's system, which may be used by spammers to anonymously send email through. This server may be created on random IP ports.

A trojan dropper may be created by a VBScript dropper file (possibly named real.hta ). When this script is run a file, msdos.exe or wsysc.exe , is written to the C:\ directory and executed. This .exe file is responsible for dropping a dll file, wthunk32.dll , into the WINDOWS SYSTEM directory (%SysDr%). The following registry key value is created to load this dll at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  ShellServiceObjectDelayLoad "OLE Automation Module" = 3F143C3A-1457-6CCA-03A7-7AA23B61E40F

Other registry entries are created

• HKEY_CURRENT_USER\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}
• HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F

Upon reboot, the wthunk32.dll file is injected into the explorer.exe process. This dll accesses a web page at the IP address 64.246.60.83. The web page returns instructions to the dll, which may be directed to open various IP ports on the infected system, for a remote attacker to exploit.

Note: The .dll file is considered to be the Proxy-Thunker trojan, while the .hta and .exe files that drop the trojan are known as Proxy-Thunker.dr.

Symptoms

Symptoms -

• Presence of the file wthunk32.dll in the SYSTEM (ie c:\winnt\system32 or c:\windows\system32) directory
• System listening on unexpected IP ports or relaying SMTP email

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A