Content

Proxy-ProxList.sys

Type
Trojan
SubType
Proxy
Discovery Date
10/18/2006
Length
9,600 bytes
Minimum DAT
4876 (10/18/2006)
Updated DAT
4959 (02/08/2007)
Minimum Engine
5.1.00
Description Added
10/18/2006
Description Modified
10/27/2006 7:51 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Proxy-ProxList.sys is a rootkit dropped by variants of Proxy-ProxList trojan. It is responsible for hiding files with names of the form "pfplg*" and may also download files from various websites.

This rootkit is dropped in %SYSTEMDIR%\drivers with the file name ndisfilter.sys and is registered as a service which automatically gets activated on reboot by creating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NdisFilter

    • Type: 0x00000001
    • Start: 0x00000002
    • ErrorControl: 0x00000000
    • ImagePath: "\??\%SYSTEMDIR%\drivers\ndisfilter.sys"
    • DisplayName: "NdisFilter"
    • Group: "Base"

Proxy-ProxList.sys hooks into the System Service Descriptor Table (SSDT) to alter the address corresponding to the function "NTQueryDirectoryFile" and hides files on the compromised system with names of the form "pfplg*" . For example, the following files were hidden due to the presence of the rootkit.

    • pfplgflt.dll
    • pfplgnfo.dll
    • pfplgprx.dll
    • pfplgscn.dll


The downloaded files are stored in %SYSTEMDIR% with file name prefix pfplg so that these files are hidden. The nature of the downloaded files may vary as they can be changed on the remote server.

The file dropped by Proxy-ProxList and downloaded files are dlls which just have "MZ" removed from their header, they are stored with dll extension and can be used by the rootkit to perform functions such as:

    • Download other files from different websites
    • Act as proxy on the compromised machine
    • Scan the network for vulnerable systems

It may also patch svchost.exe to download files from

    • z.proxylist.ru/tc[REMOVED]
    • z.proxylist.ru/files/[REMOVED]
    • z.s4u.ru/tc[REMOVED]

 

 

 

Symptoms

  • Presence of %SYSTEMDIR%\drivers\ndisfilter.sys file
  • Presence of registry keys as mentioned
  • HTTP traffic from websites as mentioned
  • Machine unexpectedly performing network scan

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Proxy-ProxList.sys is a rootkit dropped by variants of Proxy-ProxList trojan. It is responsible for hiding files with names of the form "pfplg*" and may also download files from various websites.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Backdoor.Win32.Zosu.a (Kaspersky)
  • Hacktool.Rootkit (Symantec)
  • Troj/NTRootK-AT (Sophos)
  • W32/ICQbot.B.worm (Panda Antivirus)

Characteristics

Characteristics -

Proxy-ProxList.sys is a rootkit dropped by variants of Proxy-ProxList trojan. It is responsible for hiding files with names of the form "pfplg*" and may also download files from various websites.

This rootkit is dropped in %SYSTEMDIR%\drivers with the file name ndisfilter.sys and is registered as a service which automatically gets activated on reboot by creating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NdisFilter

    • Type: 0x00000001
    • Start: 0x00000002
    • ErrorControl: 0x00000000
    • ImagePath: "\??\%SYSTEMDIR%\drivers\ndisfilter.sys"
    • DisplayName: "NdisFilter"
    • Group: "Base"

Proxy-ProxList.sys hooks into the System Service Descriptor Table (SSDT) to alter the address corresponding to the function "NTQueryDirectoryFile" and hides files on the compromised system with names of the form "pfplg*" . For example, the following files were hidden due to the presence of the rootkit.

    • pfplgflt.dll
    • pfplgnfo.dll
    • pfplgprx.dll
    • pfplgscn.dll


The downloaded files are stored in %SYSTEMDIR% with file name prefix pfplg so that these files are hidden. The nature of the downloaded files may vary as they can be changed on the remote server.

The file dropped by Proxy-ProxList and downloaded files are dlls which just have "MZ" removed from their header, they are stored with dll extension and can be used by the rootkit to perform functions such as:

    • Download other files from different websites
    • Act as proxy on the compromised machine
    • Scan the network for vulnerable systems

It may also patch svchost.exe to download files from

    • z.proxylist.ru/tc[REMOVED]
    • z.proxylist.ru/files/[REMOVED]
    • z.s4u.ru/tc[REMOVED]

 

 

 

Symptoms

Symptoms -

  • Presence of %SYSTEMDIR%\drivers\ndisfilter.sys file
  • Presence of registry keys as mentioned
  • HTTP traffic from websites as mentioned
  • Machine unexpectedly performing network scan

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A