Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Proxy.16384.A
Date discovered:19/05/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:16.384 Bytes
MD5 checksum:99e33a3d24366ad569ab7115aabbed5c
IVDF version:7.01.03.231 - Tuesday, May 19, 2009

 General Aliases:
   •  Mcafee: W32/Koobface.worm virus
   •  Sophos: W32/Koobface-C
   •  Panda: Trj/Proxy.CM
   •  Eset: Win32/Tinxy.AD
   •  Bitdefender: Win32.Worm.Koobface.CD


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\SYS32DLL.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • C:\SYS32DLL.bat



The following file is created:

C:\SYS32DLL.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file. Detected as: BAT/SYS32open




It tries to download a file:

The location is the following:
   • http://zz-dns.com/**********/?v=%number%&s=I&uid=%number%&p=%number%&q=
At the time of writing this file was not online for further investigation.

 Registry One of the following values is added in order to run the process after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "SYS32DLL"="SYS32DLL"



The following registry keys are changed:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyEnable"=dword:0x00000001
   • "ProxyOverride"="*.local;"
   • "ProxyServer"="http=localhost:7171"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyEnable"=dword:0x00000001
   • "ProxyOverride"="*.local;"
   • "ProxyServer"="http=localhost:7171"

 Backdoor The following port is opened:

%SYSDIR%\SYS32DLL.exe on TCP port 7171 in order to provide a proxy server.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, November 27, 2009
Description updated by Petre Galan on Friday, November 27, 2009

Back . . . .