Virus:TR/Proxy.Dlena.AT
Date discovered:01/12/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:29.696 Bytes
MD5 checksum:e7e78b720c8f95b1cc4149853b671d12
VDF version:6.36.01.109
IVDF version:6.36.01.114 - Friday, December 1, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Proxy.Win32.Dlena.at
   •  F-Secure: Trojan-Proxy.Win32.Dlena.at
   •  Sophos: Troj/Proxy-FF
   •  Grisoft: Proxy.JBB


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Drops a malicious file
   • Registry modification
   • Third party control

 Files The following file is created:

%SYSDIR%\rpcc.dll



It tries to download some files:

– The location is the following:
   • http://193.37.152.88/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • http://205.209.179.44/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • http://66.185.126.201/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • http://66.185.126.34/**********
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   rpcc]
   • "DllName"="%SYSDIR%\rpcc.dll"
   • "Asynchronous"=dword:00000001
   • "Impersonate"=dword:00000001
   • "Startup"="Startup"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts]
   • "Id"=dword:787d1157
   • "Lid"=dword:0000001a

 Mailing MX Server:
It has the ability to contact one of the following MX servers:
   • mindspring.com
   • yahoo.com
   • microsoft.com

 Backdoor Contact server:
The following:
   • %URL from downloaded file%

As a result remote control capability is provided.

Remote control capabilities:
    • Download file
    • Execute file
    • Send emails

 Injection –  It injects the following file into a process: rpcc.dll

    All of the following processes:
   • svchost.exe
   • winlogon.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PePack

Description inserted by Adriana Popa on Friday, January 12, 2007
Description updated by Adriana Popa on Friday, January 12, 2007

Back . . . .