Virus:TR/Proxy.Ranky.FX
Date discovered:11/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:20.316 Bytes
MD5 checksum:1342121bddb75852aa06e6965165dbd8
VDF version:6.35.01.196
IVDF version:6.35.01.200 - Friday, September 8, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Proxy-FBSR trojan
   •  Kaspersky: Trojan-Proxy.Win32.Ranky.fx
   •  TrendMicro: TROJ_RANKY.LB
   •  Sophos: Troj/Ranky-AH
   •  Eset: Win32/TrojanProxy.Ranky
   •  Bitdefender: BehavesLike:Win32.Backdoor


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Registry modification
   • Third party control

 Files It tries to download a file:

– The locations are the following:
   • http://rogerr.homeunix.net/**********
   • http://roger.bounceme.net/**********
   • http://vcdf.hopto.org/**********
   • http://dnsme.mine.nu/**********
   • http://omygodd.net/**********
It is saved on the local hard drive under: c:\dfsafasf Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Rolcopteur"="%malware execution directory%\%executed file%"

 Backdoor The following port is opened:

%malware execution directory%\%executed file% on a random TCP port in order to provide a proxy server.

 Miscellaneous Mutex:
It creates the following Mutex:
   • AllAlone

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Wednesday, October 11, 2006
Description updated by Monica Ghitun on Wednesday, October 11, 2006

Back . . . .