[Summary]

Trojan-Proxy/W32.Small.15364 creates specific files, opens a specific port and waits for the user's command..

[Propagation]

Trojan-Proxy/W32.Small.15364 does not spread by itself. It spreads by being attached to other programs downloaded through P2P, as e-mail attachments, and through security vulnerability exploitations in certain websites.

[Symptoms]

1. Trojan-Proxy/W32.Small.15364 creates the following files when executed.

- (Windows System Folder)\nfr.dll(10,752 bytes, Trojan-Proxy/W32.Small.10752.E)


2. The malware is registered in the registry below to run upon system start-up.
 
- HKEY_CURRENT_USER\
        SOFTWARE\
              Microsoft\
                   Windows\
                        CurrentVersion\
                             Run\

- Name: nfr
- Data: rundll32.exe nfr.dll,ServiceMain /pid=10005

3. Registers the following value for the proxy server settings.

- HKEY_LOCAL_MACHINE\
        SOFTWARE\
              Microsoft\
                   Windows\
                        CurrentVersion\
                             Internet Settings\

- Name: ProxyEnable
- Data: 0x00000001

- Name: ProxyServer
- Data: http=localhost:7070

- Name: ProxyOverride
- Data: *.local;

4. Registers the following registry value to make an exception in the Windows firewall.

- HKEY_LOCAL_MACHINE\
        SYSTEM\
              ControlSet001\
                   Services\
                        SharedAccess\
                             Parameters\
                                  FirewallPolicy\
                                      StandardProfile\
                                           GloballyOpenPorts\
                                                List\

- Name: 80:TCP
- Data: 80:TCP:*:Enabled:nfr

- HKEY_LOCAL_MACHINE\
        SYSTEM\
              ControlSet001\
                   Services\
                        SharedAccess\
                             Parameters\
                                  FirewallPolicy\
                                     StandardProfile\
                                         GloballyOpenPorts\
                                              List\
                            
- Name: 7070:TCP
- Data: 7070:TCP:*:Enabled:nfr

[Reference Information]

- (Drive Root) refers to the upper-most folder. (ex. C:\, D:\)

- (Windows Drive Root) is the upper-most folder in the drive with Windows.

- (User Temporary Folder) generally refers to C:\Documents and Settings\(User Account)\Local Settings\Temp.

- (Windows Folder) generally refers to C:\WINDOWS in Windows 95/98/ ME, to C:\WINNT in Windows 2000/NT, and to C:\WINDOWS in Windows XP/2003/Vista.  

- (Windows System Folder) generally refers to C:\WINDOWS\SYSTEM  in Windows 95, 98, ME, to C:\WINNT\SYSTEM32 in Windows 2000, NT, and to C:\WINDOWS\SYSTEM32  in Windows XP/2003/Vista.

[Repairing with nProtect Netizen / nProtect Personal]

1. Run the product and clik on the ON-SCAN button by the top.
2. Check on all the files in Settings and click on the Scan Now button.
3. If a malware is detected through the scan, click on the Yes button in the Treatment Option Window.
4. Check if the malware has been successfully repaired.

[Repairing with nProtect Anti-Virus/Spyware 2007 / nProtect GameGuard Personal 2007]

1. Run the product and update the engine and patch file to the latest version. (Using the main window, tray icon, or start menu)
2. Select the Virus/Spyware tab and click on the Scan Now button.
3. If a malware is detected through the scan, click on the Repair button.
4. Check if the malware has been successfully repaired.