Index | News | Research| Products | Support | About

 

 

 

Analysis on Trojan-Proxy.Win32.Ranky.fv

2006-08-15

Antiy Cert

Virus label

Name : Trojan-Proxy.Win32.Ranky.fv
Type : Trojan
File MD5 : 9BC2F9E15A4802FE5BE55A0510F2F0E3
Distribution : Wide-distribution
Harm class: Medium
File length : 25,185 bytes
Systems Affected : windows98 and above
carapace type: FSG 2.0
Baptize consult :Symentec[]
         Mcafee[]

Description:

  The virus belongs to the Trojan. When the virus was started, it would release
%windir%/NT/nrcs.exe, delete all startup option of the registry, modify the registry, create an entry in the autorun key , thus the virus could startup with the system. The virus would revert the system hidden attribute, startup with process userinit.exe and Explorer.exe


Technical Details:

 

1、When the virus was started, it would release the virus file:

%windir%/NT/nrcs.exe

2、Delete all startup option of the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3、Modify the registry, startup with process userinit.exe and Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon
New value: String: " Shell "="Explorer.exe C:\WINDOWS\NT\nrcs.exe"
Old value: String: " Shell "="Explorer.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
New value: String:

"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\NT\nrcs.exe"
Old value: String:"Userinit"="C:\WINDOWS\system32\userinit.exe,"

4、Modify the registry, create an entry in the autorun key , thus the virus could startup with the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run\Microsoft (R) Windows Vista
Value: String: "NT Runtime Compatibility Service "="C:\WINDOWS\NT\nrcs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE
Value: String: Tmp"="LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum
\Root\LEGACY_NTRCS\0000\Control
Value: String: "ActiveService"="ntrcs"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum
\Root\LEGACY_NTRCS\0000
Value: String: "DeviceDesc "="Windows Vista/NT
Runtime Compatibility Service"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum
\Root\LEGACY_NTRCS\0000
Value: String: "Service "="ntrcs"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ntrcs
Value: String: "ImagePath "="C:\WINDOWS\NT\nrcs.exe. "
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ntrcs
Value: String: "ObjectName "="LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List
Value: String: "C:\WINDOWS\NT\nrcs.exe "="C:\WINDOWS\NT
\nrcs.exe:*:Enabled:Microsoft (R) Windows Vista/NT Runtime
Compatibility Service"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess
\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List
Value: String: "C:\WINDOWS\NT\nrcs.exe "="C:\WINDOWS\NT
\nrcs.exe:*:Enabled:Microsoft (R) Windows Vista/NT Runtime
Compatibility Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
\LEGACY_NTRCS\0000\Control
Value: String: "ActiveService "="ntrcs"

5、Revert the system hidden attribute

Note: % System% is an alterable path. The virus could confirm the OS version in order to determine the locationof the current system folder. The default installation path is C:\Winnt\System32 in Windows 2000/NT; C:\Winnt\System in Windows95/98/me, and C:\Windows\System32 in Windows XP.
Copyright © 1999-2001 Antiy Labs All rights reserved