Follow:

 

Trojan:Win32/Waprox


Trojan:Win32/Waprox is a trojan that connects to certain servers to receive commands from a remote attacker.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Trojan:Win32/Waprox is a trojan that connects to certain servers to receive commands from a remote attacker.

Installation

Trojan:Win32/Waprox may come in either an EXE or DLL form. When run, it drops and loads a copy of itself with either of the following formats:

  • %CommonProgramFiles%\<malware file name>\<malware file name>.exe
  • %CommonProgramFiles%\<malware file name>\<malware file name>.dll

where <malware file name> is constructed by concatenating and/or substituting strings from service names in your computer, for example:

For a service named "Microsoft Url History Service", Microsoft becomes MS. The resulting malware file name is then "MSUrlHistoryService.exe" or "MSUrlHistoryService.dll".

Trojan:Win32/Waprox creates the following registry entries so that it automatically runs every time Windows starts:

To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: ""%CommonProgramFiles%\<malware file name>\<malware file name>.exe" /<random parameter>" or "rundll32.exe "%CommonProgramFiles%\<malware file name>\<malware file name>.dll",<random parameter>"

For example:

To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "MSUrlHistoryService"
With data: ""%CommonProgramFiles%\MSUrlHistoryService\MSUrlHistoryService.exe" /<random parameter>" or "rundll32.exe "%CommonProgramFiles%\MSUrlHistoryService\MSUrlHistoryService.dll", <random_parameter>"

Payload

connects to a remote server

Trojan:Win32/Waprox connects to the following servers using either port 80 or 2222 to receive instructions from a remote attacker:

  • 84.84.80.47:11825
  • dance001-tst.net
  • dance001-tst.org
  • hungrypiggs.com
  • secondfatman.com

Analysis by Edgardo Diaz


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.125.1137.0
Latest detected by definition: 1.179.3103.0 and higher
First detected on: May 04, 2012
This entry was first published on: May 04, 2012
This entry was updated on: Jul 17, 2012

This threat is also detected as:
  • Gen:Variant.Zusy.Elzob.2492 (BitDefender)
  • Mal/Cleaman-B (Sophos)