Home / malware Trojan:Win32/Pramro.A
First posted on 10 February 2012.
Source: MicrosoftAliases :
Trojan:Win32/Pramro.A is also known as Backdoor.Win32.Agent.dyg (Kaspersky).
Explanation :
Trojan:Win32/Pramro.A is a trojan that can act as an SMTP and HTTP proxy and is used to send spam e-mail. In the wild it has been distributed as a 30,208-byte UPX packed executable compiled from a program written in C (although please note that Microsoft may also detect related variants with minor differences with the same name).
Top
Trojan:Win32/Pramro.A is a trojan that can act as an SMTP and HTTP proxy and is used to send spam e-mail. In the wild it has been distributed as a 30,208-byte UPX packed executable compiled from a program written in C (although please note that Microsoft may also detect related variants with minor differences with the same name). InstallationThis trojan may be installed by other malware that has previously compromised the affected system. It has been observed in the wild working in concert with other malware in multi-component attacks. Payload Modifies System SettingsThe trojan makes several registry modifications.This modification is made to add the trojan to the Firewall's list of authorized applications:Adds value: <trojan's fully qualified path>:*:Enabled:ipsec
With data: <trojan's fully qualified path>
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List The following modification is made to ensure that Internet Explorer is not started in offline mode:Adds value: GlobalUserOffline
With data: 0
To subkey: HKCR\Software\Microsoft\Windows\CurrentVersion\Internet Settings Sends Spam E-mailThe trojan attempts to utilize the following SMTP servers to send e-mail messages: mailc.microsoft.com
maila.microsoft.com
mailb.microsoft.com
smtp.mail.ru
mailin-01.mx.aol.com
mailin-02.mx.aol.com
mailin-03.mx.aol.com
mailin-04.mx.aol.com
mxs.mail.ru
mx1.yandex.ru
mx2.yandex.ru
imx1.rambler.ru
c.mx.mail.yahoo.com
d.mx.mail.yahoo.com
e.mx.mail.yahoo.com The data from which to compose and target e-mail messages is either received through a randomly opened port or downloaded from IP address 89.149.241.233. Subverts Anti-Spam ServicesThe trojan uses the following services to identify the IP address of the affected host: www.showmyip.com/
www.whatismyip.org/
checkip.dyndns.org/ The trojan listens on port 53 (domain) and 80 (http). This makes it possible for the trojan to subvert requests to the following SPAM reporting services: .bl.spamcop.net
.cbl.abuseat.org
.list.dsbl.org
.sbl-xbl.spamhaus.org
.zen.spamhaus.org
.combined.njabl.org
.multihop.dsbl.org
.blackholes.uceb.org
.bl.csma.biz
.db.wpbl.info
.dnsbl.njabl.org Additional InformationDuring its operation, Trojan:Win32/Pramro.A may utilize a custom entry inside %windir%\SYSTEM.INI to store randomly generated hex values in the following format: [DRV_VER]
MCI_DPI32 = xx.xx where xx are double-digit hexadecimal values. The trojan creates the mutex: S_SERV_v0122ALPHAA.
Analysis by Oleg PetrovskyLast update 10 February 2012
