Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Prorat.16.47
Date discovered:13/12/2012
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:1.586.688 Bytes
MD5 checksum:F87808A97ECF77C6E4208C0A9010451D
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Prorat
   •  Kaspersky: Backdoor.Win32.Prorat.16
   •  Sophos: Troj/Prorat-P
   •  Eset: Win32/Prorat.16
   •  Bitdefender: Backdoor.Prorat.1.6


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\fservice.exe
   • %SYSDIR%\sservice.exe
   • %WINDIR%\services.exe



The following files are created:

%SYSDIR%\wininv.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\winkey.dll Further investigation pointed out that this file is malware, too.
%WINDIR%\ktd32.atm

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "DirectX For Microsoft® Windows"="%SYSDIR%\fservice.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
   • "StubPath"="%SYSDIR%\sservice.exe"

– [HKCU\Software\Microsoft DirectX\WinSettings]
   • "Bulas"=%user defined settings%
   • "FW_KILL"=%user defined settings%
   • "XP_FW_Disable"=%user defined settings%
   • "XP_SYS_Recovery"=%user defined settings%
   • "ICQ_UIN"=%user defined settings%
   • "ICQ_UIN2"=%user defined settings%
   • "Kurban_Ismi"=%user defined settings%
   • "Mail"=%user defined settings%
   • "Online_List"=%user defined settings%
   • "Port"=%user defined settings%
   • "Sifre"=%user defined settings%
   • "Hata"=%user defined settings%
   • "Tport"=%user defined settings%
   • "ServerVersionInt"=%user defined settings%



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe %SYSDIR%\fservice.exe"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\srservice]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

 Backdoor The following ports are opened:

%WINDIR%\services.exe on TCP port 5110 in order to provide backdoor capabilities.
%WINDIR%\services.exe on TCP port 5112 in order to provide an FTP server.
%WINDIR%\services.exe on TCP port 51100 in order to provide an FTP server.

Sends information about:
    • Cached passwords
    • Capture screen
    • Capture shot from webcam
    • Created logfiles
    • Current user
    • IP address
    • Platform ID
    • Information about running processes
    • System directory
    • Username
    • Windows directory
    • Information about the Windows operating system


Remote control capabilities:
    • Delete file
    • Display a message
    • Download file
    • Edit registry
    • Execute file
    • Kill process
    • Open remote shell
    • Restart system
    • Send emails
    • Shut down system
    • Terminate malware
    • Terminate process
    • Upload file
    • Visit a website

 Miscellaneous String:
Furthermore it contains the following string:
   • [ProRat v1.4 Trojan Horse - Coded by P®O Group - Made in Turkey]

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Molebox

Description inserted by Dragos Tomescu on Wednesday, August 31, 2005
Description updated by Dragos Tomescu on Friday, September 2, 2005

Back . . . .