Troj_Proxy.AFV is a Trojan that arrives as a downloaded file from malicious Web sites either by other malware or by a user. It can also arrive as an attachment to spammed email messages.

It is reportedly spammed using sensational news headlines as email subjects to hook unsuspecting victims. The use of actual news headlines makes it more difficult to distinguish it as malicious. It reportedly uses the following email details:

Subject: (any of the following)

  • Law hits Las Vegas 'fake' bands
  • Man Awakens From 19-Year Coma
  • Re: U.S. violent crime up again, more murders, robberies

    Message body:
    (any of the following)
  • Decade Of Mystery: John Ramsey Speaks
  • Man wakes from 19-year coma in
  • Poland US vows to pursue hunt for missing soldiers
  • Password for submitted attachment is xxx The attachments are password-protected ZIP archives with random file names, which appears to come from news organizations.

    It connects to Web sites to download possibly malicious components. As a result, routines of the downloaded components are also exhibited on the affected system.

    This Trojan opens the TCP port 80 and acts as a proxy server. The said action allows a remote user to gain anonymous connections to the Internet by using the affected system as a proxy server. Proxy servers act as an intermediary between a user and a server. Connections using a proxy server allow remote users to hide their original location since connections can only be traced to a system where this Trojan is installed.

    Technical details can be found at this Trend Micro page.