Virus:TR/Proxy.Horst.bl
Date discovered:19/04/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:49.664 Bytes
MD5 checksum:d06bf79493e4e41528f9ebf2d96a34a1
VDF version:6.34.00.199
IVDF version:6.34.00.201 - Wednesday, April 19, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Proxy.Win32.Horst.bl
   •  Bitdefender: Trojan.Proxy.Horst.Q


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\system\smss.exe



The following files are created:

%TEMPDIR%\tmp1.tmp Further investigation pointed out that this file is malware, too.
%SYSDIR%\nvsvcd.exe Further investigation pointed out that this file is malware, too.



It tries to download a file:

– The location is the following:
   • http://up.medbod.com/up/**********?jaal-1_%number%_%number%
It is saved on the local hard drive under: %TEMPDIR%\%number%exmodul32.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • ".nvsvc"="%WINDIR%\system\smss.exe /w"



The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\Windows Log
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="%SYSDIR%\nvsvcd.exe"
   • "DisplayName"="Windows Log"
   • "ObjectName"="LocalSystem"

– HKLM\SYSTEM\CurrentControlSet\Services\Windows Log\Security
   • "Security"=%hex values%



The following registry key including all values and subkeys is removed:
   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50



The following registry key is added:

– HKCU\Software\Microsoft\PModule
   • "Hash"="%hex number%"
   • "Pid"=dword:00000c88

 Email From:
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.


To:
– Gathered addresses from the internet.


Body:
– Contains HTML code.
The contents is the same as in the file: http://seekj.lootseek.com/d/**********



The email looks like the following:


 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: info.cabmun.**********
Port: 5190
Nickname: jaal-1_%number%_%number%

Server: up.barmuz.**********
Port: 1021
Nickname: jaal-1_%number%_%number%


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file

 Backdoor Contact server:
The following:
   • http://rc.rizalof.com/**********?version=%number%



Sends information about:
    • Current malware status

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Ionut Slaveanu on Wednesday, June 14, 2006
Description updated by Ionut Slaveanu on Wednesday, June 28, 2006

Back . . . .