TrojanProxy:Win32/Ranky

TrojanProxy:Win32/Ranky is malware that functions as a trojan proxy on the affected computer.

TrojanProxy:Win32/Ranky could be installed by other malware. When run, it modifies the registry to execute the trojan at each Windows start from its installed path.

 

Adds value: "Advance DHTML Enable"

With data: "<path and file name of TrojanProxy:Win32/Ranky>"

To subkey: HKLM/Software/Microsoft/Windows/CurrentVersion/Run

TrojanProxy:Win32/Ranky will initialize Winsock 2.2 and generate a random seed value based on the current system time and current process ID. The trojan then establishes a non-blocking socket to listen to a random port within the range 1025 – 65534. If successful, the trojan proxy will start a thread. It will attempt to contact a predefined remote machine ‘serv1.alwaysproxy3.info’ via port ‘18386’.

The malware will utilize datagram packets via UDP protocol. At the time of this writing, the server remote location is not registered as a valid domain. The malware will continue to attempt connections every 15 minutes until the remote server is available. Once connected, TrojanProxy:Win32/Ranky will notify an attacker of its presence by sending the encrypted port where the malware is currently waiting for a connection.

 

TrojanProxy:Win32/Ranky handles incoming requests up to maximum of 18386.  For each request, the malware saves the time, source information, client network address and port. Below is a format example of a request:

 

<Byte Command> <Source Info> [http://]<client remote address>[:port]

 

The malware replies with the status of the client connection attempt in one of two responses:

 

“HTTP/1.0 201 Unable to connect”

 

Or

 

"HTTP/1.0 200 Connection established"

 

Once a connection is established, the remote client can use the affected computer as a proxy server without the user’s consent.

This malware does not check if it is already running on the affected computer so multiple instances of malware process in memory is possible.