Virus:TR/Drop.Multid.BO.2
Date discovered:16/09/2005
Type:Trojan
Subtype:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:22.009 Bytes
MD5 checksum:a65177d85f259563e57b84fae106dbe0
VDF version:6.31.1.224

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Proxy-FBSR
   •  Kaspersky: Trojan-Proxy.Win32.Ranky.z
   •  VirusBuster: Trojan.PR.Ranck.GK
   •  Bitdefender: Trojan.Proxy.Ranky.Z


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Registry modification
   • Steals information

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Sxcasdwqas"="%malware execution directory%\feelike.exe"

 Backdoor The following ports are opened:

%executed file% on a random TCP port in order to provide a proxy server.
%executed file% on a random UDP port


Contact server:
All of the following:
   • rogerr.homeunix.net/b.php
   • vcdf.hopto.org/b.php
   • raharah.bounceme.net/b.php
   • a70.shacknet.nu/b.php
   • roger.bounceme.net/b.php

As a result it may send some information. This is done via the HTTP GET request on a PHP script.
The servers answer is written to the file: %malware execution directory%\Wooked


Sends information about:
    • Opened port

 Miscellaneous Mutex:
It creates the following Mutex:
   • Sdwqsdghq

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW 11 1.2

Description inserted by Victor Tone on Sunday, September 18, 2005
Description updated by Victor Tone on Friday, September 23, 2005

Back . . . .