Virus:TR/Proxy.Wopla.Q.4
Date discovered:02/02/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:20.992 Bytes
MD5 checksum:f021056fd653f96ea629dd6bfca6d444
VDF version:6.33.00.187

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Tannick.B
   •  Kaspersky: Trojan-Proxy.Win32.Wopla.q
   •  Bitdefender: Trojan.Proxy.Wopla.Q


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Uses its own Email engine
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\%eight-digit random character string%.exe



It deletes the initially executed copy of itself.



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\xtempx.xxx

%SYSDIR%\%eight-digit random character string%.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Proxy.Wopla.Q.1

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   ShellServiceObjectDelayLoad]
   • "SysTray.Exgl"="{636821FC-6F5C-2f1b-B164-E67214F678E2}"

– [HKLM\SOFTWARE\Classes\CLSID\{636821FC-6F5C-2f1b-B164-E67214F678E2}\
   InProcServer32]
   • @="%SYSDIR%\%malware dll%"
   • "ThreadingModel"="Apartment"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   • "Placeholder_Datagl"=%hex values%gl.secd**********%hex values%gl.nulladd**********%hex values%

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.


To:
– Gathered addresses from the internet.


Subject:
The following:
   • %gathered from the internet%



Body:
The body of the email is the following:
   • %gathered from the internet%

 Backdoor The following port is opened:

%WINDIR%\explorer.exe on a random TCP port in order to provide a Socks 5 proxy server.


Contact server:
The following:
   • gl.secd**********

As a result remote control capability is provided.

Remote control capabilities:
    • Send emails
    • Visit a website

 Miscellaneous Mutex:
It creates the following Mutex:
   • rgl_eqfdsafsdamrytrrrrrrtrrtdytcjuyrnedk

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PECompact

Description inserted by Daniel Constantin on Monday, March 6, 2006
Description updated by Daniel Constantin on Thursday, March 9, 2006

Back . . . .