Threat behavior
TrojanProxy:Win32/Ranky.gen!B is a trojan that attempts to use the affected computer as a proxy server without the user's consent.
Installation
TrojanProxy:Win32/Ranky.gen!B arrives in the system with a random file name. It modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "Advanced DHTML Enable"
With data: "<malware file>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Acts as a proxy server
TrojanProxy:Win32/Ranky.gen!B may initialize the 'Winsock' service and then listen to a random port within the range 1025 to 65534.
It may then attempt to contact the remote server 'serv1.alwaysproxy8.info' via port 18384. It makes the attempt every fifteen minutes until a connection is established. Once connected, it may notify a remote system of its presence in the affected system.
It may then accept incoming connection requests; for each request, it may reply with the status of the attempt using one of two responses:
- "HTTP/1.0 201 Unable to connect", or
- "HTTP/1.0 200 Connection established"
Once a connection is established, the remote client can use the affected computer as a proxy server without the user’s consent.
Analysis by Andrei Florin Saygo
Prevention
