English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan-Proxy.Win32.Ranky.cq

Trojan-Proxy.Win32.Ranky.cq

Detected Feb 04 2006 20:46 GMT
Released Feb 04 2006 20:46 GMT
Published Apr 03 2006 11:16 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan program makes it possible for a remote malicious user to use the machine as a proxy-server.

The Trojan itself is a Windows PE EXE file written in Visual C++, packed using UPX. The file can be between 39KB - 53KB in size.

Installation

Once launched, the Trojan registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "Services"="<path to Trojan program>"

The Trojan creates a unique identifier, "Windows-Update-Service" to flag its presence in the system.


Payload

Once launched, the Trojan listens on a random TCP port to realize the proxy-server function. The number of the port chosen is randomly generated, and will be in the range 1025 - 5024. If it is not possible to listen on this port, a new attempt will be made, with the port number being regenerated.

The worm then establishes a connection to cb.im***itethinking.biz. If this is unsucessful, the attempt will be repeated at 15 minute intervals.

If the connection is successful, the number of the port which the Trojan is listening on will be encoded and transmitted to port 3878 on the server in encrypted form.

Once the remote malicious user receives this data, s/he will be able to use the victim machine as a proxy-server.


Removal instructions

  1. Determine the name of the Trojan program by using regedit or another utility to edit the system registry. View the "Services" parameter in the [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] key; this parameter gives the full path to the malicious program.
  2. Use Task Manager to terminate the process with the Trojan name.
  3. Delete the original Trojan file.
  4. Delete the following value from the system registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
     "Services"="<path to Trojan program>"
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Trojan-Proxy

Trojan-Proxy programs are designed to give malicious users access to a variety of Internet resources via victim computers.

These malicious programs are typically used to send out mass spam mailings.


Aliases

Trojan-Proxy.Win32.Ranky.cq (Kaspersky Lab) is also known as:

  • Troj/Ranck-Gen (Sophos)
  • Adware/Lop (Panda)
  • W32/Malware!e1d1 (FPROT)
  • TrojanProxy:Win32/Ranky.GD (MS(OneCare))
  • Trojan.Ranky (DrWeb)
  • MemScan:Trojan.Proxy.Ranky.DQ (BitDef7)
  • Trojan-Proxy.Win32.Ranky.CQ (Ikarus)
  • TR/Drop.Rank.cq.7.A (AVIRA)
  • Suspicious_Gen2.DEFNN (Norman)
  • Trojan-Proxy.Win32.Ranky.cq [AVP] (FSecure)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search