McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• trojan-proxy.win32.delf.aq (Kaspersky)

Characteristics

This detection is for malware intended to serve as a proxy on the victim machine.  These proxy trojans act as a middleman between a requesting system and a destination host. They are designed to listen on a specified TCP port for incoming requests.  Those requests are then sent out from the infected system to the desired destination.  The response from the destination server is rerouted back to the originating host by the proxy trojan.

This proxy allows for a trojan author/distributor to use the infected system as a type of identity shield, allowing them to navigate to different locations on the Internet without divulging who or where they really are.

Such proxies can be used to surf the web anonymously, hack systems, or relay spam.

Upon execution, a port is opened for listening on the victim machine - the exact port is likely to vary in different deployments. The Proxy-SysNT trojan uses a configuration file located in C:\Nt.sys   which determines the port number used.

No installation on the victim machine was observed for at least one sample received by AVERT. Other variants are likely to incorporate some form of installation, typically copying itself into the Windows or System directory.

Symptoms

• Unexpected network traffic.
• Presence of the file C:\Nt.sys (configuration file).
• When the above configuration file is not present, the trojan pops up an error dialog.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• trojan-proxy.win32.delf.aq (Kaspersky)

Characteristics

Characteristics -

This detection is for malware intended to serve as a proxy on the victim machine.  These proxy trojans act as a middleman between a requesting system and a destination host. They are designed to listen on a specified TCP port for incoming requests.  Those requests are then sent out from the infected system to the desired destination.  The response from the destination server is rerouted back to the originating host by the proxy trojan.

This proxy allows for a trojan author/distributor to use the infected system as a type of identity shield, allowing them to navigate to different locations on the Internet without divulging who or where they really are.

Such proxies can be used to surf the web anonymously, hack systems, or relay spam.

Upon execution, a port is opened for listening on the victim machine - the exact port is likely to vary in different deployments. The Proxy-SysNT trojan uses a configuration file located in C:\Nt.sys   which determines the port number used.

No installation on the victim machine was observed for at least one sample received by AVERT. Other variants are likely to incorporate some form of installation, typically copying itself into the Windows or System directory.

Symptoms

Symptoms -

• Unexpected network traffic.
• Presence of the file C:\Nt.sys (configuration file).
• When the above configuration file is not present, the trojan pops up an error dialog.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A