Hi mh,
Here is the description on this trojan:
Method of propagation:
• No own spreading routine
Aliases:
• Mcafee: Proxy-FBSR
• Kaspersky: Trojan-Proxy.Win32.Ranky.z
• TrendMicro: BKDR_RANKY.FZ
• F-Secure: W32/Ranky.RP
• Bitdefender: Trojan.Proxy.Ranky.Z
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
Registry The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• “Sxcasdwqas”=“%malware execution directory%%executed file%”
Backdoor The following port is opened:
– %executed file% on a random TCP port in order to provide a proxy server.
Contact server:
All of the following:
• http://.homeunix.net/b.php
• http://.hopto.org/b.php
• http://.bounceme.net/b.php
• http://.shacknet.nu/b.php
• http://**********.bounceme.net/b.php
As a result it may send some information. This is done via the HTTP GET request on a PHP script.
Sends information about:
• Opened port
Miscellaneous Mutex:
It creates the following Mutex:
• Sdwqsdghq
Stop the following Trojanspy.win32.Ranky processes:
3007cdf6829484531218d69c4c4e71eb.exe
Locate and delete the following Trojanspy.win32.Ranky files:
3007cdf6829484531218d69c4c4e71eb.exe
///////////////////////////////////////////////////////////////////////////////////
Please download DrWeb-CureIt from here: http://www.majorgeeks.com/downloadget.php?id=4783&file=10&evp=ef9669e4f16e6e75d95abcde8f88163d
& save it to your desktop. DO NOT perform a scan yet.
You should copy/print the following because you need to be in Safe Mode from here on.
Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in “Safe Mode”.
Scan with DrWeb-CureIt as follows:
- Double-click on drweb-cureit.exe to start the program. An “Express Scan of your PC” notice will appear.
- Under “Start the Express Scan Now”, Click “OK” to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
- Once the short scan has finished, Click Options > Change settings
- Choose the “Scan tab” and UNcheck “Heuristic analysis”
- Back at the main window, click “Select drives” (a red dot will show which drives have been chosen)
- Then click the “Start/Stop Scanning” button (green arrow on the right) and the scan will start.
- When done, a message will be displayed at the bottom advising if any viruses were found.
- Click “Yes to all” if it asks if you want to cure/move the file.
- When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select “Move incurable”.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can’t be cured)
- Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
- Save the DrWeb.csv report to your desktop.
- Exit Dr.Web Cureit when done.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) and attach this to your next posting. Or post it as a txt report.
polonus
