Home / malware Backdoor:Win32/Refpron.N
First posted on 18 June 2009.
Source: SecurityHomeAliases :
Backdoor:Win32/Refpron.N is also known as Also Known As:Win-Trojan/Agent.51200.HD (AhnLab), Trojan-PSW.Win32.Agent.mwh (Kaspersky), Win32/Delf.OIP (ESET), Generic PWS.y!o (McAfee).
Explanation :
Backdoor:Win32/Refpron.N is a backdoor trojan that may perform activities such as downloading and executing arbitrary files, and sending system information to a remote server. It may download components that allow it to collect per-click advertising revenue from other websites, or perform search engine optimization.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
Backdoor:Win32/Refpron.N is a backdoor trojan that may perform activities such as downloading and executing arbitrary files, and sending system information to a remote server. It may download components that allow it to collect per-click advertising revenue from other websites, or perform search engine optimization.
Installation
Backdoor:Win32/Refpron.N may be dropped and installed as a system service by other malware or Refpron variants. One example we observed in the wild was dropped to <%temp%>mta<random number>.dll, installed as a system service named "msncache" and loaded into svchost.exe on Windows start.
Payload
Backdoor functionalityOnce installed, the malware periodically attempts to contact a number of servers. At the time of publication, Backdoor:Win32/Refpron.N was observed to contact the following: 74.54.201.210
174.133.72.250
74.55.37.210
174.133.126.2
jsactivity.com It sends filename and version information regarding itself to each of these servers. Servers that are available respond with a location from where further files can be downloaded, and parameters for various activities that the backdoor’s controller wishes to be performed. These activities are discussed below. Downloads and executes arbitrary files
Backdoor:Win32/Refpron.N retrieves a list from its remote controller of files to download. The list includes the remote locations and names of the files to be downloaded. Targeted files are downloaded to:<system folder> mp0_<12 random digits>.bk. These files are then renamed to <system folder><retrieved file name> and executed. Backdoor:Win32/Refpron.N has been observed to download updates of itself or other components of Backdoor:Win32/Refpron. Visits websitesThe backdoor’s controller may provide a list of websites to visit, and search terms and other parameters to use when doing so. This may be in order to collect per-click advertising revenue or perform search engine optimization. Backdoor:Win32/Refpron.N accesses the specified web sites using the retrieved terms in the background, and is thus unlikely to be noticed by the affected user.Additional InformationFiles downloaded by Backdoor:Win32/Refpron.N may be detected as TrojanClicker:Win32/Refpron.A.
Analysis by Shawn WangLast update 18 June 2009
