Trojan Information
Discovery Date: 02/02/2004
Origin: Unknown
Length: 7,680 bytes (UPX packed)
Type: Trojan
SubType: Win32
Description Added: 02/02/2004
Description Modified: 02/02/2004 7:44 AM (PT)
This detection is for malware intended to serve as a proxy on the victim machine. Once running the infected host may be used as an email relay, which is likely to be used for routing spam messages.
It is probable that this trojan is related to Proxy-Regate .
When run on the victim machine, a notification is sent to the hacker via HTTP. For this, a script on one of the following remote servers is used:
www.sweetestlife.biz
makeyrday.biz
b00sterpac.biz
A HTTP GET request is issued, to a script on this server to send the hacker information such as:
IP address of victim machine
port opened on victim machine (eg. 25204)
proxy 'key' (some unique identifier)
A port is opened for listening on the victim machine - the exact port is likely to be configurable. At least one sample received by Avert used port 25204.
The following Registry key is added:
HKEY_LOCAL_MACHINE\Software\Microsoft\(string)
"k" = (proxy 'key')
The string used for the key name consists of 6 random A-Z characters, and is written to the file %SysDir%\MSPR.DAT, for example:
C:\WINDOWS\SYSTEM\MSPR.DAT
No installation on the victim machine was observed for the sample received by Avert. Future variants are likely to incorporate some form of installation, typically copying itself into %WinDir% or %SysDir% and using a Registry key to hook system startup.
More: http://vil.nai.com/vil/content/v_100992.htm

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic