Virus:TR/Proxy.Lager.AQ.9
Date discovered:07/04/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:51.603 Bytes
MD5 checksum:4c5251efd0bae37655d169065206519f
VDF version:6.34.00.165

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Packed.Win32.Tibs
   •  VirusBuster: virus Trojan.PR.Lager.Gen!Pac1


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops a file
   • Drops a malicious file
   • Registry modification
   • Third party control

 Files The following files are created:

– Non malicious file:
   • %SYSDIR%\zlbw.dll

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\log.txt

%SYSDIR%\taskdir.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Proxy.Lager.AQ.1




It tries to download a file:

– The location is the following:
   • http://216.255.179.238/new/cntr/bin/**********
It is saved on the local hard drive under: %SYSDIR%\taskdir~.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry The following registry keys are added:

– [HKEY_CURRENT_USER]
   • "ColorTable19"=dword:%hex number%
   • "ColorTable20"=dword:%hex number%

 Backdoor Contact server:
All of the following:
   • 216.255.179.238/new/cntr/**********
   • 69.50.161.106/n/**********
   • 69.50.184.194/n/**********
   • 216.255.179.238/new/cls/**********
   • 81.177.3.175/n/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Computer name
    • Current malware status


Remote control capabilities:
    • Send emails

 Injection –  It injects the following file into a process: taskdir.dll

    Process name:
   • %all processes started after malware is active in memory%


 Miscellaneous Mutex:
It creates the following Mutex:
   • _alanchum

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:

– Files that contain the substring in their filename:
   • taskdir

– Processes that contain the following substring in their names:
   • taskdir

– The following registry value:
   • taskdir


Method used:
    • Hidden from Windows API

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Friday, April 7, 2006
Description updated by Daniel Constantin on Wednesday, April 12, 2006

Back . . . .