Virus:TR/PSW.Maran.G.5
Date discovered:02/08/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:52.599 Bytes
MD5 checksum:c851c808d7a10F0E45a7f0771b152a64
VDF version:6.35.01.35
IVDF version:6.35.01.35

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files
   • Registry modification
   • Steals information

 Files It deletes the initially executed copy of itself.



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\sporder.dll

%SYSDIR%\gzfmxp.dll
%SYSDIR%\hjxrbpv.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Maran.M

%SYSDIR%\narbpv.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Maran.M.1

%SYSDIR%\xprasu.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Maran.M.2

%SYSDIR%\xpvlporn.dll Further investigation pointed out that this file is malware, too.

 Registry The following registry key is added:

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000013
   • "PackedCatalogItem"=%SYSDIR%\xprasu.dll%hex values%



The following registry keys are changed:

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9
   New value:
   • "Serial_Access_Num"=word:00000006
     "Next_Catalog_Entry_ID"=word:000003f6
     "Num_Catalog_Entries"=word:0000000d

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000012
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000011
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000010
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll.6%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000009
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll.6%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000008
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000007
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000006
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\rsvpsp.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000005
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\rsvpsp.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000004
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000003
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000002
   New value:
   • "PackedCatalogItem"=%SystemRoot%\system32\mswsock.dll%hex values%

– HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
   Protocol_Catalog9\Catalog_Entries\000000000001
   New value:
   • "PackedCatalogItem"=%SYSDIR%\xprasu.dll%hex values%

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Monday, September 18, 2006
Description updated by Andrei Ivanes on Wednesday, October 18, 2006

Back . . . .