hello!
I am not a virus analyst expert but few days ago I played with a port sniff program. what I detected is that ccproxy send request to “oraniom.com” and that domain send an ICMP in return. I immediately deleted ccproxy but I am worry about what other spyware they uploaded to my system and what they stolen. need your help to clean my system and analyze that program.
also if you ping oraniom.com they send an ICMP in back with this content:
abcdefghijklmnopqrstuvwabcdefghiabcdefghijklmnopqrstuvwabcdefghi
abcdefghijklmnopqrstuvwabcdefghi
Unfortunately I uninstalled that few days ago, but I just used a file recovery program and here is recovered exe file: http://www.sendspace.com/file/ryzg7w
Summary
HackTool:Win32/CCProxy.B is a tool used to redirect your Internet traffic through a specified proxy server.
Symptoms
System changes
The following system changes may indicate the presence of this malware:
The presence of the following files:
\log\log.txt
\ccproxy.ini
Technical Information (Analysis)
Installation
HackTool:Win32/CCProxy.B creates the following files:
\log\log.txt
\ccproxy.ini
Payload
Opens and listens to certain ports
HackTool:Win32/CCProxy.B opens and listens to the following TCPports:
1080
110
119
2121
23
25
808
To check for Internet connectivity, it tries to connect to yahoo.com via port 80.
Redirects Internet traffic through a proxy server
HackTool:Win32/CCProxy.B is used to redirect your Internet traffic through a proxy server.
→ It may be configured by a remote attacker to listen in on your Internet activities. ←
Analysis by Hyun Choi (Microsoft Malware Protection Center)
most websites said it is a proxy/hacktools. I know it, I used it to create a proxy server but why it try to connect to “oraniom.com” that is not stated anywhere in website if it is classified as a proxy/hacktools only?
I also whois oraniom.com, it is totally not related to that company.
GEO DB - Database Age: 0.36 Days.
This file is available from here. The file we use here is updated every few days
Determine non cached NS from root
NS
K.GTLD-SERVERS.NET. [192.52.178.30] [Query Parent Server for ORANIOM.COM.] HAS GLUE
N.B. not authoritative, but it’s a pointer to the authoritative servers, allowing for the loop to be resolved. (remark from polonus)
The parent nameserver K.GTLD-SERVERS.NET DID send out GLUE for [at least] NS61.MIHANWEBHOST.COM. This means K.GTLD-SERVERS.NET is reporting NS61.MIHANWEBHOST.COM’s host names AND sending the A (IP addresses) records for NS61.MIHANWEBHOST.COM. This is is good and avoids an extra ‘A’ lookup. For full details, see RFC1912, Section 2.3
If you find problems, we could also ak the help from a qualified removal expert here on the webforums,
thanks, fortunately dnsleak test result was correct for me. it was google dns that I set in LAN.
how about log files? anything I worry about?
I am not sure what oraniom.com doing, but fortunately gone away when I removed ccproxy ???
Think for the moment, your good to go.
But it would not harm to do the following tests - go here: http://www.thinkbroadband.com/tools/dnscheck.html
What you should get as things are OK is the following message:
Success! We detected your IP address as NN.NN.NN.NN and did not find an open DNS resolver running.
Did you get a similar green result, Congrats, you are not likely to be a zombie.
results for both my original IP and my ssh tunnel IP:
thinkbroadband: result was success, measurement-factory.com: not working (empty result)
myresolver: was correct ip and dns
No it is no spyware or malware as such.
avast! is only detecting it as PUP, a program that may be an unwanted when not intentionally installed or added by an attacker.
The threat is that there is room for abuse by a third party attacker…
I use proxifier to share it. actually here is what i am:
a ssh tunnel for personal use
and using ccproxy I created a local sock5 server and shared ssh tunnel on it and then used that socks5 on my phone