Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
- Friday, May 15, 2009
• Symantec: Backdoor.Paproxy
• Mcafee: Generic Proxy!a trojan !!!
• Kaspersky: Trojan.Win32.Agent2.jyy
• Panda: W32/Koobface.AD.worm
• Eset: a variant of Win32/Tinxy.AD trojan
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Downloads a malicious file
• Drops a malicious file
• Lowers security settings
• Registry modification
It copies itself to the following location:
It deletes the initially executed copy of itself.
It deletes the following file:
The following file is created:
– C:\SYS32DLL.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
It tries to download a file:
– The location is the following:
Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.
It creates the following entry in order to bypass the Windows XP firewall:
The following registry key is changed:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
The following port is opened:
\SYS32DLL.exe on TCP port 7171 in order to provide an HTTP server.
One of the following:
The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
Description inserted by Petre Galan on Tuesday, October 6, 2009
Description updated by Andrei Ivanes on Wednesday, October 7, 2009