[virusinfo] Troj/Proxy-M

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Sat, 25 Jun 2005 17:20:01 -0700

From; Sophos Alert System:

Name: Troj/Proxy-M
Type: Trojan
Date: 25 June 2005

Sophos has issued protection for Troj/Proxy-M.

At the time of writing, Sophos has received a small number of
reports of this Trojan from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about Troj/Proxy-M can be found at:
http://www.sophos.com/virusinfo/analyses/trojproxym.html

Troj/Proxy-M is a proxy server Trojan. 
The proxy server runs continuously in the background listening on a 
pre-configured port and allows data to be routed through the computer. 
The proxy may be used to forward spam. 
Troj/Proxy-M may be installed by opening a malicious document that exploits the 
"CAN-2003-0820 Word Buffer Overrun Vulnerability" associated with Microsoft 
Word (see Microsoft Security Bulletin MS03-050). The malicious document 
contains an encrypted form of Troj/Proxy-M and a macro. When the document is 
opened with a vulnerable version of Microsoft Word, the macro will execute 
(regardless of security settings) and will drop and run Troj/Proxy-M. 
When Troj/Proxy-M is first run it copies itself to <Windows>\csrss.exe and 
creates the file <System>\mslogsvr.ini. 
The following registry entry is created to run csrss.exe on startup: 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows>\csrss.exe 
Alternatively Troj/Proxy-M may run itself on startup by adding the pathname of 
csrss.exe to the 'shell=' line in the [boot] section of System.ini, or to one 
of the following registry entries: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\LogService
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\LogService
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\LogService 
 

The Troj/Proxy-M virus identity file (IDE) includes detection for:


Troj/Haxdoor-AA
http://www.sophos.com/virusinfo/analyses/trojhaxdooraa.html
Troj/Haxdoor-AF
http://www.sophos.com/virusinfo/analyses/trojhaxdooraf.html
W32/Rbot-AGL
http://www.sophos.com/virusinfo/analyses/w32rbotagl.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for Troj/Proxy-M from:

http://www.sophos.com/downloads/ide/proxy-m.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/Proxy-M

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---