TROJ_PROXY.E

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.

It does not have any information-stealing capability.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following non-malicious file:

• %Application Data%\Common Files\Plugins\index.txt ← where it will save its configuration file

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %Application Data%\Common Files\Plugins

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://www.{BLOCKED}c.net/111/{random}
• http://www.{BLOCKED}c.net:443/111/{random} - where {random} depends on its configuration file

It connects to the following URL(s) to download its configuration file:

• http://www.{BLOCKED}c.net:443/111/index.html
• http://www.{BLOCKED}c.net/111/index.html

It saves the files it downloads using the following names:

• %Application Data%\Common Files\Plugins\{random filename}.txt
• %Application Data%\Common Files\Plugins\{random filename}.exe
  where {random filename} depends on its configuration file

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

As of this writing, the said sites are inaccessible.

Information Theft

This Trojan does not have any information-stealing capability.

NOTES:

This Trojan's configuration file contains the following information:

• File name of the downloaded file
• URL file path

This Trojan runs only when the day is Wednesday. It checks for the system's proxy settings by querying registry with the following value name:

• ProxyEnable
• ProxyServer
• AutoConfigURL

It can also bypass proxy. It deletes dropped and/or downloaded files after execution.

It does not have rootkit capabilities.

It does not exploit any vulnerability.