Threat Descriptons



Category :


Type :


Aliases :

Trojan-Proxy:W32/Kvadr.gen!A, TrojanProxy:Win32/Dosenjo (Microsoft)


This type of trojan allows unauthorized parties to use the infected computer as a proxy server to access the Internet anonymously.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details


The trojan-proxy can create a file, as shown below.

  • c:\Documents and Settings\All Users\Application Data\loggy.txt

It will drop the downloaded component to following folders:

  • c:\Documents and Settings\[user]\Local Settings\Temp\csrss 5.dll
  • c:\WINDOWS\system32\csrss 5.dll

Where the '5' in the filename stands for OS version.It will also create a copy of itself at:

  • c:\Documents and Settings\All Users\Application Data\csrss.exe


While active, the trojan-proxy attempts to connect to the following domains:


With the following GET request:

  • s.html?cachingDeny=f9eolXC8sZY6590K&id=PCWUA99y0qWV3qFo HTTP/1.1\r\n

where 'f9eolXC8sZY6590K' is a random string and 'PCWUA99y0qWV3qFo' is a machine ID.After successfully connecting to one or more of those above mentioned links, it will download an additional component from the link below and start accepting connections on port 80.

  • /u.php?cashingDeny=f9eolXC8sZY6590K&id=PCWUA99y0qWV3qFo HTTP/1.1\r\n user-agent: Kvadrlson 1.0

This proxy's activity can be recognized by its user-agent, Kvadrlson 1.0.It also downloads a new hosts file, affecting a large range of domains, some of which are shown below:

Process Changes

Creates these mutexes:

  • BabloPodejdaetZlo2

Registry Modifications

Creates these keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss Asynchronous = 0x00000000 (0) DllName = "csrss5.dll" Impersonate = 0x00000000 (0) Logon = "StrtPrc"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion SvchostID = "PCWUA99y0qWV3qFo"
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion Svchost[DbVersion]"5"
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion Svchost[DbVersion]"5"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Servers - > uhlnzon.pbz - > purffbvq.pbz - > ibgrfvax.pbz - > svarxbybffnyqb.pbz - > ratvar.qryb-ixhfn.pbz - >
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Documents and Settings\All Users\Application Data\csrss.exe = "C:\Documents and Settings\All Users\Application Data\csrss:*:Enabled:svchost
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPOrts\List 110:TCP = "110:TCP:*:Enabled:svchost"
More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.