Content

Proxy-Fireby

Type
Trojan
SubType
Proxy
Discovery Date
04/26/2005
Length
varies
Minimum DAT
4477 (04/26/2005)
Updated DAT
5411 (10/21/2008)
Minimum Engine
5.1.00
Description Added
04/26/2005
Description Modified
04/01/2008 2:09 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a detection for Proxy-Fireby trojan which could be used by malware authors to remotely control the machine.

When the executable is run on the victim machine, the trojan copies itself to the following locations.

  • %WINDIR%\system32\sarc.exe (20,531 bytes)    
  • %WINDIR%\system32\SVCHOST.EXE (589,824 bytes)
  • %WINDIR%\system32\VNCHooks.dll (77,824 bytes)

The trojan writes an entry in the registry, windows firewall Authorized applications list to bypass the default firewall rules.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "%WINDIR%\SVCHOST.EXE" = "%WINDIR%\SVCHOST.EXE:*:Enabled:DHCP"

Adds itself to the Run menu to start the trojan at every startup

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    WinVNC = "%Windir%\SVCHOST.EXE -servicehelper"

Registers a service entry in the registry as

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winvnc
    Type = 0x00000110
    Start = 0x00000002
    ErrorControl = 0x00000001
    ImagePath = ""%Windir%\SVCHOST.EXE" -service"
    DisplayName = "WindowsMgr"
    ObjectName = "LocalSystem"


The trojan could also open a server on port 80. This could be used to remotely administer the machine.

Symptoms

  •  Existence of the Registry keys described above
  •  Presence of unexpected VNC connection on port 80

Method of Infection

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a detection for Proxy-Fireby trojan which could be used by malware authors to remotely control the machine.

Aliases

  • Backdoor.Staprew.B (Symantec)

Characteristics

Characteristics -

This is a detection for Proxy-Fireby trojan which could be used by malware authors to remotely control the machine.

When the executable is run on the victim machine, the trojan copies itself to the following locations.

  • %WINDIR%\system32\sarc.exe (20,531 bytes)    
  • %WINDIR%\system32\SVCHOST.EXE (589,824 bytes)
  • %WINDIR%\system32\VNCHooks.dll (77,824 bytes)

The trojan writes an entry in the registry, windows firewall Authorized applications list to bypass the default firewall rules.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "%WINDIR%\SVCHOST.EXE" = "%WINDIR%\SVCHOST.EXE:*:Enabled:DHCP"

Adds itself to the Run menu to start the trojan at every startup

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    WinVNC = "%Windir%\SVCHOST.EXE -servicehelper"

Registers a service entry in the registry as

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winvnc
    Type = 0x00000110
    Start = 0x00000002
    ErrorControl = 0x00000001
    ImagePath = ""%Windir%\SVCHOST.EXE" -service"
    DisplayName = "WindowsMgr"
    ObjectName = "LocalSystem"


The trojan could also open a server on port 80. This could be used to remotely administer the machine.

Symptoms

Symptoms -

  •  Existence of the Registry keys described above
  •  Presence of unexpected VNC connection on port 80

Method of Infection

Method of Infection -

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A