McAfee > Theat Center > Virus Detail Page

Overview

This is a detection for Proxy-ProxList trojan which drops a rootkit in %SYSTEMDIR%\drivers to hide files. This rootkit is detected as Proxy-ProxList.sys trojan. Proxy-ProxList communicates with z.proxylist.ru using HTTP to download files.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Win32.Zosu.a (Kaspersky)

• Troj/NetAtk-F (Sophos)

• Trojan.Dropper (Symantec)

• W32/ICQbot.B.worm (Panda Antivirus)

Characteristics

This is a detection for Proxy-ProxList trojan which drops a rootkit in %SYSTEMDIR%\drivers to hide files. This rootkit is detected as Proxy-ProxList.sys trojan. Proxy-ProxList communicates with z.proxylist.ru using HTTP.

On execution Proxy-ProxList drops the following files:

• %SYSTEMDIR%\drivers\ndisfilter.sys
• %SYSTEMDIR%\pfplgflt.dll

It then registers the rootkit (ndisfilter.sys) as a service which automatically gets activated on reboot by creating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NdisFilter

• Type: 0x00000001
• Start: 0x00000002
• ErrorControl: 0x00000000
• ImagePath: "\??\%SYSTEMDIR%\drivers\ndisfilter.sys"
• DisplayName: "NdisFilter"
• Group: "Base"

Details about ndisfilter.sys file are also available on Proxy-ProxList.sys page. This rootkit is instrumental in hiding pfplgflt.dll and any other files that may be downloaded.

Proxy-ProxList.sys hooks into the System Service Descriptor Table (SSDT) to alter the address corresponding to the function "NTQueryDirectoryFile" and hides files on the compromised system with names of the form "pfplg*". For example, the following files were hidden due to the presence of the rootkit.

• pfplgflt.dll
• pfplgnfo.dll
• pfplgprx.dll
• pfplgscn.dll

The downloaded files are stored in %SYSTEMDIR% with file name prefix pfplg so that these files are hidden. The nature of the downloaded files may vary as they can be changed on the remote server.

The dropped and downloaded files are dlls which just have "MZ" removed from their header, they are stored with dll extension and can be used by the rootkit to perform functions such as:

• Download more files from different websites
• Act as proxy on the compromised machine
• Scan the network for vulnerable systems
• Open a backdoor

Due to the presence of the dropped file, svchost.exe may be patched to download from:

• z.proxylist.ru/tc[REMOVED]
• z.proxylist.ru/files/[REMOVED]
• z.s4u.ru/tc[REMOVED]

Symptoms

• Presence of %SYSTEMDIR%\drivers\ndisfilter.sys file
• Presence of registry keys as mentioned
• HTTP traffic from websites as mentioned
• Machine unexpectedly performing network scan

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a detection for Proxy-ProxList trojan which drops a rootkit in %SYSTEMDIR%\drivers to hide files. This rootkit is detected as Proxy-ProxList.sys trojan. Proxy-ProxList communicates with z.proxylist.ru using HTTP to download files.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Win32.Zosu.a (Kaspersky)

• Troj/NetAtk-F (Sophos)

• Trojan.Dropper (Symantec)

• W32/ICQbot.B.worm (Panda Antivirus)

Characteristics

Characteristics -

This is a detection for Proxy-ProxList trojan which drops a rootkit in %SYSTEMDIR%\drivers to hide files. This rootkit is detected as Proxy-ProxList.sys trojan. Proxy-ProxList communicates with z.proxylist.ru using HTTP.

On execution Proxy-ProxList drops the following files:

• %SYSTEMDIR%\drivers\ndisfilter.sys
• %SYSTEMDIR%\pfplgflt.dll

It then registers the rootkit (ndisfilter.sys) as a service which automatically gets activated on reboot by creating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NdisFilter

• Type: 0x00000001
• Start: 0x00000002
• ErrorControl: 0x00000000
• ImagePath: "\??\%SYSTEMDIR%\drivers\ndisfilter.sys"
• DisplayName: "NdisFilter"
• Group: "Base"

Details about ndisfilter.sys file are also available on Proxy-ProxList.sys page. This rootkit is instrumental in hiding pfplgflt.dll and any other files that may be downloaded.

Proxy-ProxList.sys hooks into the System Service Descriptor Table (SSDT) to alter the address corresponding to the function "NTQueryDirectoryFile" and hides files on the compromised system with names of the form "pfplg*". For example, the following files were hidden due to the presence of the rootkit.

• pfplgflt.dll
• pfplgnfo.dll
• pfplgprx.dll
• pfplgscn.dll

The downloaded files are stored in %SYSTEMDIR% with file name prefix pfplg so that these files are hidden. The nature of the downloaded files may vary as they can be changed on the remote server.

The dropped and downloaded files are dlls which just have "MZ" removed from their header, they are stored with dll extension and can be used by the rootkit to perform functions such as:

• Download more files from different websites
• Act as proxy on the compromised machine
• Scan the network for vulnerable systems
• Open a backdoor

Due to the presence of the dropped file, svchost.exe may be patched to download from:

• z.proxylist.ru/tc[REMOVED]
• z.proxylist.ru/files/[REMOVED]
• z.s4u.ru/tc[REMOVED]

Symptoms

Symptoms -

• Presence of %SYSTEMDIR%\drivers\ndisfilter.sys file
• Presence of registry keys as mentioned
• HTTP traffic from websites as mentioned
• Machine unexpectedly performing network scan

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A