SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Proxy.Horst.AV

LOW
MEDIUM
~55k (packed)
()

Symptoms

- Presence of a service called "Windows Log"
- Presence in %SYSTEMROOT%\\System of a file smss.exe
- Presence in %SYSTEMROOT%\\System32 of a file nvsvcd.exe

Removal instructions:

- Open services.msc from Start->Run and stop the service called Windows Log
- Let BitDefender delete your malware files

Analyzed By

Vlad Constantin Ilie, virus researcher

Technical Description:

- When executed, the malware drops a file named tmp1.tmp in %TEMP% which BitDefender detects as Trojan.Proxy.Horst.AZ, then starts svchost.exe (which is Generic Host Process for Win32 Services a well known Windows   process) and writes over the original code of svchost.exe, in memory, its own code.
- Modified svchost.exe does the following:
  + Copies the malware file in %SYSTEMROOT%\\System\\smss.exe;
  + Adds in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run the value:
    * Value Name: .nvsvc
    * Value Data: %SYSTEMROOT%\\System\\smss.exe /w;
  + Copies the file %TEMP%\\tmp1.tmp to %SYSTEMROOT%\\System32\\nvsvcd.exe and executes it with -install
  parameter. This will create a service called Windows Log;
  + If the OS is Windows XP Service Pack 2 adds in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\
  SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List the value:
    * Value Name: "C:\\WINNT\\System32\\svchost.exe"
    * Value Data: "C:\\WINNT\\System32\\svchost.exe:*:Enabled:Microsoft Update"
  with this value set it will be ignored by Windows Firewall when he connects to the internet
  + Tries to stop and delete or disable the following services:
    * "wscsvc" Security Center
    * "SharedAccess" Windows Firewall/Internet Connection Sharing (ICS)
    * "wuauserv" Automatic Updates
    * "kavsvc"
    * "SAVScan"
    * "Symantec Core LC"
    * "navapsvc"
  + Deletes from HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run the value   "KAVPersonal50" so that Kaspersky AV won't start at next reboot;
  + It checks for un updated version of itself at http://rc.rizalof.com/[removed]. If he finds it, it copies it   to %TEMP%\\smss,exe and executes it.
  + Connects to an IRC server from which it receives links to executable files, which it downloads and executes;
Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources