is a trojan that creates a proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity. In this case, this proxy may be used to relay spam and HTTP traffic. In the wild TrojanProxy:Win32/Pramro.F
has been observed to be associated with the Win32/Sality
malware family variants such as Virus:Win32/Sality.AT
TrojanProxy:Win32/Pramro.F runs from where it is executed. It creates the mutex "qiwuyeiu2983" to avoid running multiple instances of itself.
Modifies security settings
TrojanProxy:Win32/Pramro.F adds itself to the Windows Firewall exclusion list by modifying the following registry entry:
Sets value: "<malware>"
With data: "<path to malware executable>:*:enabled:ipsec"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Creates SOCKS proxy
TrojanProxy:Win32/Pramro.F may initially contact the following sites (possibly to test its functionality):
The trojan then makes several HTTP GET requests to the following Web sites:
TrojanProxy:Win32/Pramro.F opens and listens on a random TCP port between 1179 and 11,178 (inclusive) except ports 6665, 6666, and 6667. It may then be used to relay spam e-mail or HTTP traffic.
Analysis by Jireh Sanico
The following system changes may indicate the presence of this malware: