Virus:TR/Proxy.Ranky.EC.1
Date discovered:18/08/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:26.624 Bytes
MD5 checksum:0F3552745EC123000CC8807F069B80A2
VDF version:6.31.1.120

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Proxy.Win32.Ranky.z
   •  VirusBuster: Trojan.PR.Ranck.GE


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Wasdwwsa"="%malware execution directory%\%executed file%"

 Backdoor The following ports are opened:

%malware execution directory%\%executed file% on UDP port 1042
%malware execution directory%\%executed file% on a random TCP port


Contact server:
All of the following:
   • http://www.**********-gmbh.com/a.php
   • http://**********.akill.info/a.php
   • http://**********.mine.nu/a.php
   • http://**********qgegd.com/a.php
   • http://suckmy**********.com/a.php

As a result it may send some information. This is done via the HTTP GET request on a PHP script.
The servers answer is written to the file: %malware execution directory%\VEdqwdqw


Sends information about:
    • Opened port

Description inserted by Andrei Gherman on Thursday, August 18, 2005
Description updated by Andrei Gherman on Friday, August 26, 2005

Back . . . .