1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Trojan-Proxy:W32/Kvadr.gen!A

Trojan-Proxy:W32/Kvadr.gen!A

Name : Trojan-Proxy:W32/Kvadr.gen!A
Aliases : TrojanProxy:Win32/Dosenjo (Microsoft)
Category:Malware
Type:Trojan-Proxy
Platform:W32

Summary

This type of trojan allows unauthorized parties to use the infected computer as a proxy server to access the Internet anonymously.

Details


Process Changes
Creates these mutexes:

  •  BabloPodejdaetZlo2



Registry Modifications
Creates these keys:

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss
        Asynchronous = 0x00000000 (0)
        DllName = "csrss5.dll"
        Impersonate = 0x00000000 (0)
        Logon = "StrtPrc"
  •   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
        SvchostID = "PCWUA99y0qWV3qFo"
  •   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
        SvchostVersion = "5"
  •   HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion
        SvchostVersion = "5"
  •   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Servers
        snagbznfg.eh             -> fantomast.ru
        uhlnzon.pbz              -> huyamba.com
        purffbvq.pbz             -> chessoid.com
        ibgrfvax.pbz             -> votesink.com
        svarxbybffnyqb.pbz       -> finekolossado.com
        ratvar.qryb-ixhfn.pbz    -> engine.delo-vkusa.com
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
        C:\Documents and Settings\All Users\Application Data\csrss.exe = "C:\Documents and Settings\All Users\Application             Data\csrss:*:Enabled:svchost
  •   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPOrts\List
        110:TCP = "110:TCP:*:Enabled:svchost"


Additional Details


Installation

The trojan-proxy can create a file, as shown below.

  •   c:\Documents and Settings\All Users\Application Data\loggy.txt

It will drop the downloaded component to following folders:

  •  c:\Documents and Settings\[user]\Local Settings\Temp\csrss5.dll
  •  c:\WINDOWS\system32\csrss5.dll

Where the '5' in the filename stands for OS version.

It will also create a copy of itself at:

  •   c:\Documents and Settings\All Users\Application Data\csrss.exe


Activity

While active, the trojan-proxy attempts to connect to the following domains:

  •  propellero.com
  •  googlestats.ru
  •  alexastats.ru
  •  profeller.ru
  •  google-ana1itics.com
  •  searchmachiner.com

With the following GET request:

  •   s.html?cachingDeny=f9eolXC8sZY6590K&id=PCWUA99y0qWV3qFo HTTP/1.1\r\n

where 'f9eolXC8sZY6590K' is a random string and 'PCWUA99y0qWV3qFo' is a machine ID.

After successfully connecting to one or more of those above mentioned links, it will download an additional component from the link below and start accepting connections on port 80.

  •  /u.php?cashingDeny=f9eolXC8sZY6590K&id=PCWUA99y0qWV3qFo HTTP/1.1\r\n
      user-agent: Kvadrlson 1.0

This proxy's activity can be recognized by its user-agent, Kvadrlson 1.0.

It also downloads a new hosts file, affecting a large range of domains, some of which are shown below:

127.0.0.1    go.mail.ru
127.0.0.1    nova.rambler.ru
127.0.0.1    google.ad
127.0.0.1    www.google.ad
127.0.0.1    google.ae
127.0.0.1    www.google.ae
127.0.0.1    google.com.af
127.0.0.1    www.google.com.af
127.0.0.1    google.com.ag
127.0.0.1    www.google.com.ag
127.0.0.1    google.com.ai
127.0.0.1    www.google.com.ai
127.0.0.1    google.am
127.0.0.1    www.google.am
127.0.0.1    google.com.ar
127.0.0.1    www.google.com.ar
127.0.0.1    google.as
127.0.0.1    www.google.as
127.0.0.1    google.at
127.0.0.1    www.google.at
127.0.0.1    google.com.au
127.0.0.1    www.google.com.au
127.0.0.1    www.google.co.uz
127.0.0.1    search.msn.com
127.0.0.1    search.live.com
127.0.0.1    search.msn.com.hk
127.0.0.1    search.prodigy.msn.com
127.0.0.1    cnweb.search.live.com
127.0.0.1    search.msn.co.jp
127.0.0.1    livesearch.msn.co.kr
127.0.0.1    search.msn.com.my
127.0.0.1    search.msn.com.ph
127.0.0.1    search.msn.com.sg
127.0.0.1    search.yahoo.com
127.0.0.1    ca.search.yahoo.com
127.0.0.1    ar.search.yahoo.com
127.0.0.1    cl.search.yahoo.com
127.0.0.1    search.yahoo.co.jp
127.0.0.1    kr.search.yahoo.com
127.0.0.1    malaysia.search.yahoo.com
127.0.0.1    nz.search.yahoo.com
127.0.0.1    images.google.ca
127.0.0.1    images.google.co.uk
127.0.0.1    news.google.com
127.0.0.1    news.google.ca
127.0.0.1    news.google.co.uk
127.0.0.1    video.google.com
127.0.0.1    video.google.ca
127.0.0.1    video.google.co.uk
127.0.0.1    blogsearch.google.com
127.0.0.1    blogsearch.google.ca
127.0.0.1    blogsearch.google.co.uk
127.0.0.1    searchservice.myspace.com
127.0.0.1    search.comcast.net
127.0.0.1    ask.com
127.0.0.1    www.ask.com
127.0.0.1    search.aol.com
127.0.0.1    search.netscape.com
127.0.0.1    my.att.net
127.0.0.1    yandex.ru
127.0.0.1    www.yandex.ru
127.0.0.1    yandex.ua
127.0.0.1    www.yandex.ua
127.0.0.1    baidu.com
127.0.0.1    www.baidu.com
127.0.0.1    shop.ebay.com
127.0.0.1    shop.ebay.co.uk
127.0.0.1    search.ebay.com
127.0.0.1    search.ebay.co.uk
127.0.0.1    motors.shop.ebay.com
127.0.0.1    en.search.wordpress.com
127.0.0.1    en.wikipedia.org
127.0.0.1    search.cnn.com
127.0.0.1    information.com
127.0.0.1    www.information.com
127.0.0.1    search.microsoft.com
127.0.0.1    search.about.com
127.0.0.1    search.icq.com
127.0.0.1    www.icq.com
127.0.0.1    www.verizon.net
127.0.0.1    verizon.net
127.0.0.1    search.lycos.com
127.0.0.1    youporn.com
127.0.0.1    www.youporn.com