Analysis by: Jimelle Monteser
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This hacking tool may be manually installed by a user.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

File Size: 2,000,488 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 25 Apr 2013

Arrival Details

This hacking tool may be manually installed by a user.

Installation

This hacking tool drops the following files:

  • %User Profile%\PUTTY.RND
  • {grayware path}\utmp\{random filenname}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • {grayware path}\utmp

Other System Modifications

This hacking tool adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
MediaPlayer\Preferences\ProxySettings

HKEY_CURRENT_USER\Software\Microsoft\
MediaPlayer\Preferences\ProxySettings\
HTTP

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
MediaPlayer\Preferences
UseHTTP = "1"

HKEY_CURRENT_USER\Software\Microsoft\
MediaPlayer\Preferences
UseTCP = "0"

HKEY_CURRENT_USER\Software\Microsoft\
MediaPlayer\Preferences
UseUDP = "0"

HKEY_CURRENT_USER\Software\Microsoft\
MediaPlayer\Preferences
UseMulticast = "0"

HKEY_CURRENT_USER\Software\Microsoft\
MediaPlayer\Preferences\ProxySettings\
HTTP
ProxyBypass = "0"

HKEY_CURRENT_USER\Software\Microsoft\
MediaPlayer\Preferences\ProxySettings\
HTTP
ProxyStyle = "1"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{grayware path}\{grayware filename} = "{grayware path}\{grayware filename}:*:Enable:{grayware filename}"

Web Browser Home Page and Search Page Modification

This hacking tool modifies the Internet Explorer Zone Settings.

NOTES:

This is a risky proxy tool used to bypass admin network rules/policy. It opens TCP port 9666 to connect to a server. It displays the following:

  SOLUTION

Minimum Scan Engine: 9.300

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identifying the Grayware Files

Download the latest spyware pattern file and scan your computer. Note the path and file name of all files detected as HKTL_PROXSURF.

Step 3

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
    • ProxySettings

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • {grayware path}\{grayware filename} = "{grayware path}\{grayware filename}:*:Enable:{grayware filename}"
  • In HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
    • UseHTTP = "1"
  • In HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
    • UseTCP = "0"
  • In HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
    • UseUDP = "0"
  • In HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
    • UseMulticast = "0"

Step 5

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • {grayware path}\utmp

Step 6

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Profile%\\PUTTY.RND

Step 7

Reset Internet security settings

[ Learn More ]

Step 8

Scan your computer with your Trend Micro product to delete files detected as HKTL_PROXSURF If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 9

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.


Did this description help? Tell us how we did.