Home / malware Trojan.Snikyprox
First posted on 30 May 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Snikyprox.
Explanation :
The Trojan arrives after being left on a compromised server.
The Trojan modifies an executable file on the compromised server to load a malicious DLL file and to continue to persist on the server.
Note: The malicious DLL file contains a hard-coded path of the encrtyped executable file.
When the Trojan decrypts the file, it creates the following files:
%SystemDrive%MS[RANDOM CHARACTERS].exe %UserProfile%\Local Settings\Temp\MS[RANDOM CHARACTERS].exe
The Trojan executes the following file and then injects it with the dropped files:
SVCHOST.EXE
The Trojan deletes the dropped file after injecting it into SVCHOST.EXE
The Trojan opens a back door, and connects to one of the following locations:
172.16.1.33172.16.1.196172.31.5.33172.31.1.199
The Trojan may then download and execute potentially malicious files.Last update 30 May 2015
