Full description

Virus:	BDS/Prorat.M.B.38
Date discovered:	15/03/2006
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	357.932 Bytes
MD5 checksum:	d1dabb99aaeacf1ae918f2e3f2abc2e9
VDF version:	6.33.00.119

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Backdoor.Prorat
   • Mcafee: BackDoor-AVW
   • Kaspersky: Backdoor.Win32.Prorat.19.al
   • TrendMicro: BKDR_PRORAT.19
   • VirusBuster: Backdoor.Prorat.AE
   • Bitdefender: Backdoor.Prorat.1.9

Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops malicious files
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

Files It copies itself to the following locations:
   • %SYSDIR%\fservice.exe
   • %SYSDIR%\sservice.exe
   • %WINDIR%\services.exe

It deletes the initially executed copy of itself.

It deletes the following files:
   • %SYSDIR%\fservice.exe
   • %SYSDIR%\sservice.exe

The following files are created:

– %SYSDIR%\winkey.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Prorat.19.H

– %SYSDIR%\reginv.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Agent.co.2

– %WINDIR%\ktd32.atm This file contains collected keystrokes.
– %malware execution directory%\%executed file%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

– [HKLM\software\microsoft\windows\currentversion\policies\explorer\
   Run]
   • "DirectX For Microsoft® Windows"="%SYSDIR%\fservice.exe"

The following registry keys are added:

– [HKCU\software\microsoft\Windows NT Script Host\Microsoft DxDiag\
   WinSettings]
   • "Bulas"="1"
   • "FW_KILL"="1"
   • "XP_FW_Disable="1"
   • "XP_SYS_Recovery"="1"
   • "ICQ_UIN"="qvro/on,hq/hogn"
   • "ICQ_UIN2"=""
   • "Kurban_Ismi"="whbuhl"
   • "Mail"=""
   • "Online_List"=""
   • "Port"="4001"
   • "Sifre"="ehbd547"
   • "Hata"=""
   • "KSil"="1"
   • "LanNotifie"=""
   • "Tport"="0"
   • "ServerVersionInt"="19"

– [HKLM\software\microsoft\Active Setup\Installed Components\
   {5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
   • "StubPath"="%SYSDIR%\sservice.exe"

The following registry keys are changed:

– [HKLM\software\microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe %SYSDIR%\fservice.exe"

Process termination List of processes that are terminated:
   • _AVP32.EXE; _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; _SMC.EXE; ACKWIN32.EXE;
      ADMINTOOL.EXE; ADVXDWIN.EXE; AGENTA.EXE; AGENTSVR.EXE; ALERTSVC.EXE;
      ALG.EXE; ALOGSERV.EXE; AMON.EXE; AMON9X.EXE; ANTITROJ.EXE;
      ANTI-TROJAN.EXE; ANTIVIRUS.EXE; ANTS.EXE; APIMONITOR.EXE;
      APLICA32.EXE; APVXDWIN.EXE; ASHDISP.EXE; ASHQUICK.EXE; ATCON.EXE;
      ATGUARD.EXE; ATRO55EN.EXE; ATUPDATER.EXE; ATWATCH.EXE; ATWATCH.EXE;
      AUTOTRACE.EXE; AVCONSOL.EXE; AVCONSOL.EXE; AVENGINE.EXE; AVENGINE.EXE;
      AVGCC32.EXE; AVGCTRL.EXE; AVGNT.EXE; AVGSERV.EXE; AVGSERV9.EXE;
      AVGUARD.EXE; AVGW.EXE; AVKPOP.EXE; AVKSERV.EXE; AVKSERVICE.EXE;
      AVKWCTL.EXE; AVKWCTL9.EXE; AVP.EXE; AVP32.EXE; AVPCC.EXE; AVPCC.EXE;
      AVPM.EXE; AVSCHED32.EXE; AVSYNMGR.EXE; AVSYNMGR.EXE; AVWIN.EXE;
      AVWINNT.EXE; AVXGUI.EXE; AVXLIVE.EXE; AVXMONITOR9X.EXE;
      AVXMONITORNT.EXE; AVXQUAR.EXE; AVXW.EXE; BD_PROFESSIONAL.EXE;
      BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE; BISP.EXE; BLACKD.EXE;
      BLACKICE.EXE; BOOTSCAN.EXE; BOOTWARN.EXE; BORG2.EXE; BS120.EXE;
      CDP.EXE; CFGINTPR.EXE; CFGWIZ.EXE; CFIADMIN.EXE; CFIAUDIT.EXE;
      CFINET.EXE; CFINET32.EXE; CLAW95.EXE; CLAW95CF.EXE; CLEAN.EXE;
      CLEANER.EXE; CLEANER3.EXE; CLEANPC.EXE; CMGRDIAN.EXE; CMON016.EXE;
      CONNECTIONMONITOR.EXE; CPF9X206.EXE; CPFNT206.EXE; CTRL.EXE; CV.EXE;
      CWNB181.EXE; CWNTDWMO.EXE; DEFSCANGUI.EXE; DEFWATCH.EXE; DEPUTY.EXE;
      DOORS.EXE; DPATROL.EXE; DPF.EXE; DRWEB32.EXE; DRWEBSCD.EXE; DVP95.EXE;
      DVP95_0.EXE; ECENGINE.EXE; EFPEADM.EXE; ENT.EXE; ESAFE.EXE;
      ESCANH95.EXE; ESCANHNT.EXE; ESCANV95.EXE; ESPWATCH.EXE;
      ETRUSTCIPE.EXE; EVPN.EXE; EXANTIVIRUS-CNET.EXE; EXPERT.EXE;
      F-AGNT95.EXE; FAMEH32.EXE; FAST.EXE; FCH32.EXE; FIH32.EXE;
      FINDVIRU.EXE; FIREWALL.EXE; FLOWPROTECTOR.EXE; FNRB32.EXE; F-PROT.EXE;
      F-PROT95.EXE; FP-WIN.EXE; FRW.EXE; FSA.EXE; FSAA.EXE; FSAV.EXE;
      FSAV32.EXE; FSAV530STBYB.EXE; FSAVSTRT.EXE; FSM32.EXE; FSMA32.EXE;
      FSMB32.EXE; F-STOPW.EXE; GBMENU.EXE; GBPOLL.EXE; GENERICS.EXE;
      GLADIATOR.EXE; GUARD.EXE; GUARDDOG.EXE; GUARDER.EXE;
      HACKERELIMINATOR.EXE; HACKTRACERSETUP.EXE; HTLOG.EXE; HWPE.EXE;
      IAMAPP.EXE; IAMSERV.EXE; IAMSTATS.EXE; IBMASN.EXE; IBMAVSP.EXE;
      ICLOAD95.EXE; ICLOADNT.EXE; ICMON.EXE; ICSUPP95.EXE; ICSUPPNT.EXE;
      IFACE.EXE; IFW2000.EXE; IOMON98.EXE; IPARMOR.EXE; IRIS.EXE;
      ISRV95.EXE; JAMMER.EXE; JEDI.EXE; KAVLITE40ENG.EXE; KAVPERS40ENG.EXE;
      LDNETMON.EXE; LDPRO.EXE; LDPROMENU.EXE; LDSCAN.EXE; LOCKDOWN.EXE;
      LOCKDOWN2000.EXE; LOGMON.EXE; LOOKOUT.EXE; LUALL.EXE; LUAU.EXE;
      MCAGENT.EXE; MCMNHDLR.EXE; MCSHIELD.EXE; MCTOOL.EXE; MCVSRTE.EXE;
      MCVSSHLD.EXE; MFW2EN.EXE; MGAVRTCL.EXE; MGAVRTE.EXE; MGHTML.EXE;
      MGUI.EXE; MINILOG.EXE; MONITOR.EXE; MPFAGENT.EXE; MPFSERVICE.EXE;
      MPFTRAY.EXE; MPFTRAY.EXE; MSSMMC32.EXE; MU0311AD.EXE; MWATCH.EXE;
      N32SCANW.EXE; NAVAPW32.EXE; NAVDX.EXE; NAVLU32.EXE; NAVSTUB.EXE;
      NAVW32.EXE; NAVWNT.EXE; NC2000.EXE; NEOWATCHLOG.EXE; NEOWATCHTRAY.EXE;
      NETARMOR.EXE; NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE;
      NETSPYHUNTER-1.2.EXE; NETUTILS.EXE; NIP.EXE; NISSERV.EXE; NISUM.EXE;
      NOD32.EXE; NORMIST.EXE; NPF40_TW_98_NT_ME_2K.EXE; NPFMESSENGER.EXE;
      NPSSVC.EXE; NSCHED32.EXE; NTRTSCAN.EXE; NTVDM.EXE; NTXCONFIG.EXE;
      NUI.EXE; NVARCH16.EXE; NVC95.EXE; NWSERVICE.EXE; NWTOOL16.EXE;
      NYMSE.EXE; OSTRONET.EXE; OUTPOST.EXE; PADMIN.EXE; PANIXK.EXE;
      PAVCL.EXE; PAVFIRES.EXE; PAVPROXY.EXE; PAVPRSRV.EXE; PAVSRV51.EXE;
      PAVW.EXE; PCC2002S902.EXE; PCC2K_76_1436.EXE; PCCCLIENT.EXE;
      PCCGUIDE.EXE; PCCIOMON.EXE; PCCNTMON.EXE; PCCPFW.EXE; PCCWIN97.EXE;
      PCCWIN98.EXE; PCFWALLICON.EXE; PCSCAN.EXE; PERISCOPE.EXE; PERSFW.EXE;
      PF2.EXE; PFWADMIN.EXE; PINGSCAN.EXE; PLATIN.EXE; POP3TRAP.EXE;
      POPROXY.EXE; PORTDETECTIVE.EXE; PORTMONITOR.EXE; PPTBC.EXE;
      PPVSTOP.EXE; PROCMAN.EXE; PROGRAMAUDITOR.EXE; PROPORT.EXE;
      PROTECTX.EXE; PSPF.EXE; PURGE.EXE; PVIEW95.EXE; QCONSOLE.EXE;
      QSERVER.EXE; RAPAPP.EXE; RAV7.EXE; RAV7WIN.EXE; RAV8WIN32ENG.EXE;
      RAVMON.EXE; RAVWIN8.EXE; REALMON.EXE; REGSHOT.EXE; RMVTRJAN.EXE;
      RRGUARD.EXE; RSHELL.EXE; RTVSCN95.EXE; RULAUNCH.EXE; SAFEWEB.EXE;
      SBSERV.EXE; SCAN.EXE; SCAN32.EXE; SCANPM.EXE; SCRSCAN.EXE; SD.EXE;
      SFC.EXE; SGSSFW32.EXE; SH.EXE; SHN.EXE; SMC.EXE; SOFI.EXE; SPF.EXE;
      SPFW.EXE; SPHINX.EXE; SPYXX.EXE; SS3EDIT.EXE; ST.EXE; ST2.EXE;
      SUPFTRL.EXE; SUPPORTER5.EXE; SWEEP95.EXE; SWNETSUP.EXE;
      SYMPROXYSVC.EXE; TASKALERT.EXE; TAUMON.EXE; TAUSCAN.EXE; TBSCAN.EXE;
      TC.EXE; TCA.EXE; TCM.EXE; TDS2-98.EXE; TDS2-NT.EXE; TDS-3.EXE;
      TFAK.EXE; TFAK5.EXE; TGBOB.EXE; THGUARD.EXE; TITANIN.EXE;
      TITANINXP.EXE; TRJSCAN.EXE; TROJAN.EXE; TROJANHUNTER.EXE;
      TROJANTRAP3.EXE; TUCONF.EXE; UMXAGENT.EXE; UMXLDRA.EXE; V530WTBYB.EXE;
      V95.EXE; VBCONS.EXE; VBUST.EXE; VBWIN9X.EXE; VBWINNTW.EXE; VET32.EXE;
      VET95.EXE; VETTRAY.EXE; VIR-HELP.EXE; VNLAN300.EXE; VNPC3000.EXE;
      VPC32.EXE; VPC42.EXE; VPFW30S.EXE; VPTRAY.EXE; VPTRAY.EXE;
      VSCAN40.EXE; VSCHED.EXE; VSECOM.EXE; VSHWIN32.EXE; VSHWIN32.EXE;
      VSMAIN.EXE; VSMAIN.EXE; VSMON.EXE; VSSTAT.EXE; VSSTAT.EXE;
      WATCHDOG.EXE; WATCHER.EXE; WEBSCANX.EXE; WEBTRAP.EXE; WFINDV32.EXE;
      WGFE95.EXE; WIMMUN32.EXE; WINGATE.EXE; WINRECON.EXE; WINROUTE.EXE;
      WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE; XCOMMSVR.EXE;
      XPF202EN.EXE; ZAPRO.EXE; ZATUTOR.EXE; ZONALM2601.EXE; ZONEALARM.EXE

List of services that are disabled:
   • System Restore
   • Internet Connection Firewall (Windows Firewall)/Internet Connection Sharing
   • Norton AntiVirus Auto-Protect Service

Backdoor The following ports are opened:

– %WINDIR%\services.exe on TCP port 5110 in order to provide backdoor capabilities.
– %WINDIR%\services.exe on TCP port 5112 in order to provide an FTP server.
– %WINDIR%\services.exe on TCP port 51100 in order to provide an FTP server.

Contact server:
All of the following:
   • pwsn.no-ip.info:41100
   • pwsn.no-ip.info:4112
   • pwsn.no-ip.info:4110

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection.

Sends information about:
    • Computer name
    • CPU speed
    • CPU type
    • IP address
    • Current malware status
    • Information about the network
    • Opened port
    • Information about running processes
    • System time
    • Username
    • Users' local activity
    • visited URLs
    • Information about the Windows operating system

Remote control capabilities:
    • Directory listing
    • Download file
    • Edit registry
    • Execute file
    • Restart system
    • Send emails
    • Shut down system
    • Terminate process

Stealing It tries to steal the following information:

– Passwords from the following programs:
   • CuteFTP
   • CuteFTP Pro
   • FlashFXP
   • Outlook Express
   • ICQ
   • Trillian
   • MSN Messenger
   • Yahoo!
   • NetMeeting

– A logging routine is started after keystrokes are typed that match the following string:
   • %any key%

– It captures:
    • Keystrokes
    • Window information

Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own registry keys

Method used:
• Hidden from Windows API

File details Programming language:
The malware program was written in Borland C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
• Morphine
• UPX

Description inserted by Iulia Diaconescu on Wednesday, March 15, 2006
Description updated by Iulia Diaconescu on Monday, March 20, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools