Follow:

 

TrojanProxy:Win32/Pramro.F


TrojanProxy:Win32/Pramro.F is a trojan that creates a proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity. In this case, this proxy may be used to relay spam and HTTP traffic. In the wild TrojanProxy:Win32/Pramro.F has been observed to be associated with the Win32/Sality malware family variants such as Virus:Win32/Sality.AT.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Removing a program exception
This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps. You will need the malware file name as detected by your antivirus product:
 
For Windows 7:
1) Click Start, select Control Panel, then System and Security.
2) Select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
5) Select the malware file name from the list of allowed programs and features. Click Remove.
6) Click OK.
 
For Windows Vista:
1) Click Start, select Control Panel, then Security Center.
2) On the left-hand menu, select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Select the malware file name from the list of allowed programs and features. Click Delete.
5) Click OK.
 
For Windows XP:
1) Use an administrator account to log on.
2) Click Start, select Run, type wscui.cpl, and then click OK.
3) In Windows Security Center, click Windows Firewall.
4) On the Exceptions tab, click the malware file name and then click Delete.
5) Click OK.

Threat behavior

TrojanProxy:Win32/Pramro.F is a trojan that creates a proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity. In this case, this proxy may be used to relay spam and HTTP traffic. In the wild TrojanProxy:Win32/Pramro.F has been observed to be associated with the Win32/Sality malware family variants such as Virus:Win32/Sality.AT.
Installation
TrojanProxy:Win32/Pramro.F runs from where it is executed. It creates the mutex "qiwuyeiu2983" to avoid running multiple instances of itself.
Payload
Modifies security settings
TrojanProxy:Win32/Pramro.F adds itself to the Windows Firewall exclusion list by modifying the following registry entry:
 
Sets value: "<malware>"
With data: "<path to malware executable>:*:enabled:ipsec"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
Creates SOCKS proxy
TrojanProxy:Win32/Pramro.F may initially contact the following sites (possibly to test its functionality):
 
c.mx.mail.yahoo.com
d.mx.mail.yahoo.com
imx1.rambler.r
maila.microsoft.com
mailin-01.mx.aol.com
mailin-02.mx.aol.com
mailin-03.mx.aol.com
mailin-04.mx.aol.com
mx1.yandex.ru
mx2.yandex.ru
mxs.mail.ru
 
The trojan then makes several HTTP GET requests to the following Web sites:

212.117.175.9
212.117.185.10
 
TrojanProxy:Win32/Pramro.F opens and listens on a random TCP port between 1179 and 11,178 (inclusive) except ports 6665, 6666, and 6667. It may then be used to relay spam e-mail or HTTP traffic.
 
Analysis by Jireh Sanico

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:
    Added data: "<path to malware executable>:*:enabled:ipsec"
    To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Prevention


Alert level: Severe
First detected by definition: 1.71.2212.0
Latest detected by definition: 1.71.2212.0 and higher
First detected on: Jan 14, 2010
This entry was first published on: Mar 10, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Backdoor.Win32.Mazben.ah (Kaspersky)
  • W32/Horst.gen33 (Norman)
  • Win32/Maazben!generic (CA)
  • Generic Proxy!r (McAfee)
  • Mal/TinyDL-T (Sophos)