Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:15/05/2009
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:13.824 Bytes
MD5 checksum:feb9fcb58b7537c47a0Cfc1c00702b50
IVDF version:

 General Aliases:
   •  Symantec: Backdoor.Paproxy
   •  Mcafee: Generic Proxy!a trojan !!!
   •  Kaspersky: Trojan.Win32.Agent2.jyy
   •  Panda: W32/Koobface.AD.worm
   •  Eset: a variant of Win32/Tinxy.AD trojan

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\SYS32DLL.exe

It deletes the initially executed copy of itself.

It deletes the following file:
   • C:\SYS32DLL.bat

The following file is created:

– C:\SYS32DLL.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

It tries to download a file:

– The location is the following:
   • http://85.13**********/v50/?v=63&s=I&uid=0&p=6004&q=
Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "7171:TCP"="7171:TCP:*:Enabled:SYS32DLL"
   • "80:TCP"="80:TCP:*:Enabled:SYS32DLL"

The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyServer"="http=localhost:7171"
   • "ProxyOverride"="*.local;"
   • "ProxyEnable"=dword:00000001

 Backdoor The following port is opened:

%SYSDIR%\SYS32DLL.exe on TCP port 7171 in order to provide an HTTP server.

Contact server:
One of the following:
   • yy-d**********.com
   • zz-d**********.com

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Petre Galan on Tuesday, October 6, 2009
Description updated by Andrei Ivanes on Wednesday, October 7, 2009

Back . . . .