Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Prorat.16.47
Date discovered:13/12/2012
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:1.586.688 Bytes
MD5 checksum:F87808A97ECF77C6E4208C0A9010451D
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Prorat
   •  Kaspersky: Backdoor.Win32.Prorat.16
   •  Sophos: Troj/Prorat-P
   •  Eset: Win32/Prorat.16
   •  Bitdefender: Backdoor.Prorat.1.6


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\fservice.exe
   • %SYSDIR%\sservice.exe
   • %WINDIR%\services.exe



The following files are created:

%SYSDIR%\wininv.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\winkey.dll Further investigation pointed out that this file is malware, too.
%WINDIR%\ktd32.atm

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "DirectX For Microsoft Windows"="%SYSDIR%\fservice.exe"



The following registry keys are added:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
   • "StubPath"="%SYSDIR%\sservice.exe"

[HKCU\Software\Microsoft DirectX\WinSettings]
   • "Bulas"=%user defined settings%
   • "FW_KILL"=%user defined settings%
   • "XP_FW_Disable"=%user defined settings%
   • "XP_SYS_Recovery"=%user defined settings%
   • "ICQ_UIN"=%user defined settings%
   • "ICQ_UIN2"=%user defined settings%
   • "Kurban_Ismi"=%user defined settings%
   • "Mail"=%user defined settings%
   • "Online_List"=%user defined settings%
   • "Port"=%user defined settings%
   • "Sifre"=%user defined settings%
   • "Hata"=%user defined settings%
   • "Tport"=%user defined settings%
   • "ServerVersionInt"=%user defined settings%



The following registry keys are changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe %SYSDIR%\fservice.exe"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

[HKLM\SYSTEM\ControlSet001\Services\srservice]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

 Backdoor The following ports are opened:

%WINDIR%\services.exe on TCP port 5110 in order to provide backdoor capabilities.
%WINDIR%\services.exe on TCP port 5112 in order to provide an FTP server.
%WINDIR%\services.exe on TCP port 51100 in order to provide an FTP server.

Sends information about:
     Cached passwords
     Capture screen
     Capture shot from webcam
     Created logfiles
     Current user
     IP address
     Platform ID
     Information about running processes
     System directory
     Username
     Windows directory
     Information about the Windows operating system


Remote control capabilities:
     Delete file
     Display a message
     Download file
     Edit registry
     Execute file
     Kill process
     Open remote shell
     Restart system
     Send emails
     Shut down system
     Terminate malware
     Terminate process
     Upload file
     Visit a website

 Miscellaneous String:
Furthermore it contains the following string:
   • [ProRat v1.4 Trojan Horse - Coded by PO Group - Made in Turkey]

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Molebox

Description inserted by Dragos Tomescu on Wednesday, August 31, 2005
Description updated by Dragos Tomescu on Friday, September 2, 2005

Back . . . .