Content
Proxy-Agent.o
- Type
- Trojan
- SubType
- Proxy
- Discovery Date
- 07/08/2005
- Length
- 176,128 bytes (EXE) 229,376 bytes (DLL)
- Minimum DAT
- 4531 (07/08/2005)
- Updated DAT
- 5398 (10/03/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 07/08/2005
- Description Modified
- 06/18/2007 4:47 AM (PT)
Tab Navigation
Characteristics
Proxy-agent.o is a trojan intended to silently download and execute malicious content from a remote server. It uploads information about the infected machine to a remote web server. This trojan is observed to have been downloaded by Downloader-BCS trojan which exploits a vulnerability in Java Virtual Machine.
When the executable is run on the victim machine, the trojan copies itself to the following locations.
- %WINDIR%\system32\mstsdsc.exe (176,128 bytes) --> Copy of the trojan
- %WINDIR%\system32\tmwsock.dll (229,376 bytes) --> Copy of the trojan
- %WINDIR%\system32\sporder.dll (8,704 bytes) --> Legitimate MS dll
- %WINDIR%\system32\fmls.mzo (varies) --> Text file containing harvested email addresses
The trojan writes an entry in the registry, windows firewall Authorized applications list to bypass the default firewall rules.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "%WINDIR%\system32\mstsdsc.exe" = "%WINDIR%\system32\mstsdsc.exe:*:Enabled:mstsdsc"
Adds itself to the Run menu to start the trojan at every system startup.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"mstsdsc.exe" = "%WINDIR%\system32\mstsdsc.exe"
tmwsock.dll is installed as Layered Service Provider(LSP) which can insert itself into the TCP/IP stack. A Layered Service Provider can intercept and modify inbound and outbound Internet traffic.
The registration of tmwsock.dll can be verified using the following windows command
- netsh winsock show catalog
The trojan is also designed to scan the filesystem for certain filetypes and greps for email addresses which will be populated into fmls.mzo file in the system32 folder.
The trojan could also open a proxy server on port 80. Malware authors use proxy servers to masquerade the origin of their attacks. Proxy servers have the ability to intercept all requests made by an attacker and relay it to a third destination. Thus, victims will only be able to identify the proxy server address.
The trojan is also designed to send out emails from the infected machine and may use outlook and thebat email clients in some instances.
It is also capable of acting like a retro virus atttempting to disable various antivirus and antispyware products like
- Antivir
- ClamAv
- Doctor Web
- McAfee VirusScan
- Kaspersky
- McAfee AntiSpyware
- Ad-aware
- SpywareBlaster
The trojan automatically connects to the following domain
- http://213.21.217[blocked]/contactus/
- http://213.21.217[blocked]/services/
and posts information about the infected machine to the remote server.
Symptoms
- Existence of the Registry keys described above
- Registration of tmwsock.dll as a Layered service provider.
- Outgoing HTTP traffic to the domain http://213.21.217[blocked]
Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Method of Infection
This trojan is observed to have been downloaded by Downloader-BCS trojan which exploits a vulnerability in Java Virtual Machine. This downloader trojan exists purely to steal sensitive information, download and run other remote files.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
Proxy-agent.o is a trojan intended to silently download and execute malicious content from a remote server. It uploads information about the infected machine to a remote web server. This trojan is observed to have been downloaded by Downloader-BCS trojan which exploits a vulnerability in Java Virtual Machine.
Aliases
- BackDoor.Sporder (Doctor Web)
- Trj/Cimuz.FD (Panda)
Characteristics
Characteristics -
Proxy-agent.o is a trojan intended to silently download and execute malicious content from a remote server. It uploads information about the infected machine to a remote web server. This trojan is observed to have been downloaded by Downloader-BCS trojan which exploits a vulnerability in Java Virtual Machine.
When the executable is run on the victim machine, the trojan copies itself to the following locations.
- %WINDIR%\system32\mstsdsc.exe (176,128 bytes) --> Copy of the trojan
- %WINDIR%\system32\tmwsock.dll (229,376 bytes) --> Copy of the trojan
- %WINDIR%\system32\sporder.dll (8,704 bytes) --> Legitimate MS dll
- %WINDIR%\system32\fmls.mzo (varies) --> Text file containing harvested email addresses
The trojan writes an entry in the registry, windows firewall Authorized applications list to bypass the default firewall rules.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "%WINDIR%\system32\mstsdsc.exe" = "%WINDIR%\system32\mstsdsc.exe:*:Enabled:mstsdsc"
Adds itself to the Run menu to start the trojan at every system startup.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"mstsdsc.exe" = "%WINDIR%\system32\mstsdsc.exe"
tmwsock.dll is installed as Layered Service Provider(LSP) which can insert itself into the TCP/IP stack. A Layered Service Provider can intercept and modify inbound and outbound Internet traffic.
The registration of tmwsock.dll can be verified using the following windows command
- netsh winsock show catalog
The trojan is also designed to scan the filesystem for certain filetypes and greps for email addresses which will be populated into fmls.mzo file in the system32 folder.
The trojan could also open a proxy server on port 80. Malware authors use proxy servers to masquerade the origin of their attacks. Proxy servers have the ability to intercept all requests made by an attacker and relay it to a third destination. Thus, victims will only be able to identify the proxy server address.
The trojan is also designed to send out emails from the infected machine and may use outlook and thebat email clients in some instances.
It is also capable of acting like a retro virus atttempting to disable various antivirus and antispyware products like
- Antivir
- ClamAv
- Doctor Web
- McAfee VirusScan
- Kaspersky
- McAfee AntiSpyware
- Ad-aware
- SpywareBlaster
The trojan automatically connects to the following domain
- http://213.21.217[blocked]/contactus/
- http://213.21.217[blocked]/services/
and posts information about the infected machine to the remote server.
Symptoms
Symptoms -
- Existence of the Registry keys described above
- Registration of tmwsock.dll as a Layered service provider.
- Outgoing HTTP traffic to the domain http://213.21.217[blocked]
Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Method of Infection
Method of Infection -
This trojan is observed to have been downloaded by Downloader-BCS trojan which exploits a vulnerability in Java Virtual Machine. This downloader trojan exists purely to steal sensitive information, download and run other remote files.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
