Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanProxy:Win32/Pramro.F
Detected by Microsoft Defender Antivirus
Aliases: Backdoor.Win32.Mazben.ah (Kaspersky) W32/Horst.gen33 (Norman) Win32/Maazben!generic (CA) Generic Proxy!r (McAfee) Mal/TinyDL-T (Sophos)
Summary
TrojanProxy:Win32/Pramro.F is a trojan that creates a proxy on an infected computer. Proxy servers may be used by attackers to hide the origin of malicious activity. In this case, this proxy may be used to relay spam and HTTP traffic. In the wild TrojanProxy:Win32/Pramro.F has been observed to be associated with the Win32/Sality malware family variants such as Virus:Win32/Sality.AT.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Removing a program exception
This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps. You will need the malware file name as detected by your antivirus product:
For Windows 7:
1) Click Start, select Control Panel, then System and Security.
2) Select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
5) Select the malware file name from the list of allowed programs and features. Click Remove.
6) Click OK.
2) Select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
5) Select the malware file name from the list of allowed programs and features. Click Remove.
6) Click OK.
For Windows Vista:
1) Click Start, select Control Panel, then Security Center.
2) On the left-hand menu, select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Select the malware file name from the list of allowed programs and features. Click Delete.
5) Click OK.
2) On the left-hand menu, select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Select the malware file name from the list of allowed programs and features. Click Delete.
5) Click OK.
For Windows XP:
1) Use an administrator account to log on.
2) Click Start, select Run, type wscui.cpl, and then click OK.
3) In Windows Security Center, click Windows Firewall.
4) On the Exceptions tab, click the malware file name and then click Delete.
5) Click OK.
2) Click Start, select Run, type wscui.cpl, and then click OK.
3) In Windows Security Center, click Windows Firewall.
4) On the Exceptions tab, click the malware file name and then click Delete.
5) Click OK.