English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan-Proxy.Win32.Ranky.fw

Trojan-Proxy.Win32.Ranky.fw

Detected Apr 09 2007 17:20 GMT
Released Apr 09 2007 17:20 GMT

This is a description which has been automatically generated following analysis of this program on a test machine. This description may contain incomplete or inaccurate information.

Summary


Technical details

File size of 354816 bytes.


Installation

Makes copies of itself with the following names once launched:

  • Windows system directory (usually, C:\Windows\System32) %System%\QQhx.dat
  • ­­


Malicious activity

Steals confidential user information from A malicious program designed to steal accounts (login and password) from instant messaging clients pagers (e.g., ICQ, MSN Messenger, Yahoo Pager, QQ, Skype, etc.). The information is sent to a cybercriminal via email, ftp, the web or other methods. The stolen accounts can be sold or used to spread other malicious programs.
Read more details here: http://www.viruslist.com/en/analysis?pubid=204792005the following internet pagers:

  • QQ

Deletes or modifies the system registry keys shown below in order to prevent correct functioning of antivirus solutions:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "RavTask" = ""

Description:
­­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "KvMonXP" = ""

Description:
­Jiangmin AntiVirus­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "KAVPersonal50" = ""

Description:
­Kaspersky AntiVirus­


Other activities

Runs the following files (commands):

  • ­­

Searches for the following windows:
Class:dqhx
Titledqhx

Deletes the following parameters of the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "YLive.exe" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "yassistse" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "NTdhcp" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "Winhoxt" = ""

Description:
­Used to automatically run files when the Windows OS boots­

Deletes the following files on an infected computer:

  • Windows system directory (usually, C:\Windows\System32) %System%\kakatool.dll
  • d:\sxs.exe
  • e:\sxs.exe
  • f:\sxs.exe
  • g:\sxs.exe
  • h:\sxs.exe
  • i:\sxs.exe
  • j:\sxs.exe
  • Windows system directory (usually, C:\Windows\System32) %System%\@#$#.htm
  • Windows system directory (usually, C:\Windows\System32) %System%\dqhx1.txt
  • Windows system directory (usually, C:\Windows\System32) %System%\dqhx2.txt
  • Windows system directory (usually, C:\Windows\System32) %System%\dqhx3.txt



Print
Bookmark and Share
Share
Trojans
Trojan-Proxy

Trojan-Proxy programs are designed to give malicious users access to a variety of Internet resources via victim computers.

These malicious programs are typically used to send out mass spam mailings.


Other versions
Trojan-Proxy.Win32.Ranky.cq

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search