anyone heard of this Trojan ?
I saw it mentioned in this article
http://news.bbc.co.uk/1/hi/technology/3064125.stm
Ommy
I saw it mentioned in this article
http://news.bbc.co.uk/1/hi/technology/3064125.stm
Ommy
Migmaf
- Thread starter Omzig
- Start date
Zed
Rogue Chimp
Its not an email borne virus :
This is not an email virus. This detection is for a trojan that acts as a reverse proxy on the victim machine, redirecting HTTP requests to a remote web server.
Multiple versions of this threat are known to exist. Those received by AVERT have been packed with tElock. Users are recommended to use the 4.2.60 engine for optimal detection.
By routing HTTP requests through the reverse proxy running on victim machines, the hacker is able to mask the genuine source IP of the web server hosting the web content (typically pornographic).
Upon execution, the trojan creates a mutex of name:
REQUEST_MANAGE_SUBSYSTEM
The trojan checks the keyboard layout of the victim machine in order to stop it functioning on Russian machines (those with Russian keyboard configuration at least). Values with the following key are used to determine the layout(s):
HKEY_CURRENT_USER\Keyboard Layout\Preload
The trojan does not copy itself on the victim machine, but merely adds the following Registry hook pointing to the file that was executed:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Login Service" = (points to the file executed)
After a short sleep, the trojan attempts to access the following site:
www.microsoft.com
Subsequently, (garbage) data is sent to this site (port 80) as a means of testing available bandwidth. A disclaimer in the body of the trojan highlights this:
disclaimer: www.microsoft.com used for bandwidth speed testing only
In order to help prevent identification of the server which genuinely hosts the web content, the trojan does not connect directly to the relevant IP. Instead, it cycles through various A.B.C.D combinations, constructed by varying each octet between certain values:
A B C D
78 12 55 61
209 128 211 187
216 164 216 210
Wouldnt worry too much about it. Not sure how it is spread, but myguess it will be an application attached to an email of some sort. If it goes automatic then worry.
As it requires execution then any PFW with outbound communication control (BlackIce, Norton, McAfee, Zone) should prompt for a new application connection. Checkthe name, if you dont recognise it then kill it.
As always check the from address of any email with suspicious attachment.
This is not an email virus. This detection is for a trojan that acts as a reverse proxy on the victim machine, redirecting HTTP requests to a remote web server.
Multiple versions of this threat are known to exist. Those received by AVERT have been packed with tElock. Users are recommended to use the 4.2.60 engine for optimal detection.
By routing HTTP requests through the reverse proxy running on victim machines, the hacker is able to mask the genuine source IP of the web server hosting the web content (typically pornographic).
Upon execution, the trojan creates a mutex of name:
REQUEST_MANAGE_SUBSYSTEM
The trojan checks the keyboard layout of the victim machine in order to stop it functioning on Russian machines (those with Russian keyboard configuration at least). Values with the following key are used to determine the layout(s):
HKEY_CURRENT_USER\Keyboard Layout\Preload
The trojan does not copy itself on the victim machine, but merely adds the following Registry hook pointing to the file that was executed:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Login Service" = (points to the file executed)
After a short sleep, the trojan attempts to access the following site:
www.microsoft.com
Subsequently, (garbage) data is sent to this site (port 80) as a means of testing available bandwidth. A disclaimer in the body of the trojan highlights this:
disclaimer: www.microsoft.com used for bandwidth speed testing only
In order to help prevent identification of the server which genuinely hosts the web content, the trojan does not connect directly to the relevant IP. Instead, it cycles through various A.B.C.D combinations, constructed by varying each octet between certain values:
A B C D
78 12 55 61
209 128 211 187
216 164 216 210
Wouldnt worry too much about it. Not sure how it is spread, but myguess it will be an application attached to an email of some sort. If it goes automatic then worry.
As it requires execution then any PFW with outbound communication control (BlackIce, Norton, McAfee, Zone) should prompt for a new application connection. Checkthe name, if you dont recognise it then kill it.
As always check the from address of any email with suspicious attachment.