Trojan:Win32/Pramro.A is a trojan that can act as an SMTP and HTTP proxy and is used to send spam e-mail. In the wild it has been distributed as a 30,208-byte UPX packed executable compiled from a program written in C (although please note that Microsoft may also detect related variants with minor differences with the same name).
This trojan may be installed by other malware that has previously compromised the affected system. It has been observed in the wild working in concert with other malware in multi-component attacks.
Modifies System Settings
The trojan makes several registry modifications.
This modification is made to add the trojan to the Firewall's list of authorized applications:
Adds value: <trojan's fully qualified path>:*:Enabled:ipsec
With data: <trojan's fully qualified path>
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
The following modification is made to ensure that Internet Explorer is not started in offline mode:
Adds value: GlobalUserOffline
With data: 0
To subkey: HKCR\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sends Spam E-mail
The trojan attempts to utilize the following SMTP servers to send e-mail messages:
The data from which to compose and target e-mail messages is either received through a randomly opened port or downloaded from IP address 126.96.36.199.
Subverts Anti-Spam Services
The trojan uses the following services to identify the IP address of the affected host:
The trojan listens on port 53 (domain) and 80 (http). This makes it possible for the trojan to subvert requests to the following SPAM reporting services:
During its operation, Trojan:Win32/Pramro.A may utilize a custom entry inside %windir%\SYSTEM.INI to store randomly generated hex values in the following format:
MCI_DPI32 = xx.xx
where xx are double-digit hexadecimal values.
The trojan creates the mutex: S_SERV_v0122ALPHAA.
Analysis by Oleg Petrovsky