Troj/Lohav-A is a proxy backdoor and downloader Trojan.
The Trojan runs continuously in the background providing a proxy server on a high port number (the default port is 39999). Data can be routed to other computers via the proxy in order to bypass access restrictions and to hide the IP address of the source computer. The proxy may be used to forward SPAM email.
When first run the Trojan copies itself to the Windows System folder and adds the pathname of this file to the following registry entry, so that the Trojan executable is run automatically on startup:
The following registry entries are also created:
HKCU\Software\DateTime\Uid = <random 9-digit string>
HKCU\Software\DateTime\Pid = <process ID for the Trojan> HKCU\Software\DateTime\Port = <port the Trojan listens on>
Troj/Lohav-A repeatedly tries to terminate selected security-related applications, repeatedly tries to connect to various websites and to download executables from remote websites to the Windows folder and run them.
The download URLs and the filenames of the downloaded files vary depending upon the configuration. The Trojan is known to download files named sageBox.exe and MsgBox.exe to the Windows folder.
When the Trojan has successfully downloaded an executable it adds an entry to the registry under HKCU\Software\DateTime\. For example, when the Trojan downloads sageBox.exe and MsgBox.exe, the following registry entries are created:
HKCU\Software\DateTime\sageBox.exe = 1
HKCU\Software\DateTime\MsgBox.exe = 1
This Trojan is known to download and run variants of Troj/LDPinch. W32/Bagle-A is also commonly found on computers infected with this Trojan.