Russian anti-virus company Doctor Web is warning users about the malicious program which is helping attackers carry out mass spam mailings and allow attacker to use victim's PC as slave of his DDOS Army.
According to researchers from the company they have discovered a Trojan "Trojan.Proxy.23012" application that uses a rare method of distribution through peer networks.
"The botnet, consisting of Trojan.Proxy.23012-infected computers, is used by criminals to control proxy servers for the purpose of using them to send spam upon command". An example of such a spam message is shown in the screenshot below.
This Malware work as:
1.) Using peer to peer network it will download the executable file and that will be a encrypted malicious module. A very interesting algorithm used by the Trojan to download the infected computer other malware.
2.) After successfully decrypt it launches another module that reads the image in computer memory or other malicious applications.
3.) The program is saved to a user account as an executable file with a random name, and then modifies the registry Windows, to give yourself the ability to automatically run along with the operating system loads.
4.) Trojan is launched automatically at Windows' startup. The malware also tries to disable the UAC. At the final stage of the installation process, the Trojan code is injected into explorer.exe.
After successfully downloading the DDoS-module generates up to eight independent threads that begins continuously sending POST-requests to the server from a stored list of Trojan downloader, and trying to connect with a number of servers via SMTP, and then sends them to the random data.
Total list contains 200 selected as a target for DDoS-attack sites, some of which are known resources such as a portal love.com, owned corporation America On-Line, sites of several major U.S. universities, as well as portals msn.com, netscape.com and others.