Troj/Proxmeg-A

Aliases	Trojan-Proxy.Win32.Small.by Trojan-Dropper.Win32.Small.yv
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Included in our products from	July 2005 (3.95)
Protection available since	7 June 2005 19:48:25 (GMT)
Detected by	All Sophos products

You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the Trojan.

Troj/Proxmeg-A is a proxy Trojan with downloader capabilities.

Troj/Proxmeg-A may be used to send spam email.

Troj/Proxmeg-A will attempt to reduce internet security settings and interfere with the Windows XP Firewall and Security Center.

When first run, Troj/Proxmeg-A will create the following file:

<Windows system folder>\sysfast.dll - Troj/Proxmeg-A

In order to run the DLL automatically, the Trojan will set the following registry entry:

HKCR\CLSID\{Random CLSID}\InProcServer32
(default)
<Windows system folder>\sysfast.dll

and one of the following:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{Random CLSID}
OLE Object

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
{Random CLSID}
OLE Object

Troj/Proxmeg-A will alter internet security settings by modifying registry settings under the following:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\

Troj/Proxmeg-A will attempt to interfere with the Windows XP Firewall and Security Center by modifying the following registry entries:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SYSTEM\ControlSet001\Services\wscsvc
Start
4

Troj/Proxmeg-A will attempt to suppress warning messages generated by firewall applications.

Get reports about the latest virus and spyware threats delivered to your computer