Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Prorat.M.B.38
Date discovered:15/03/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:357.932 Bytes
MD5 checksum:d1dabb99aaeacf1ae918f2e3f2abc2e9
VDF version:6.33.00.119

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Prorat
   •  Mcafee: BackDoor-AVW
   •  Kaspersky: Backdoor.Win32.Prorat.19.al
   •  TrendMicro: BKDR_PRORAT.19
   •  VirusBuster: Backdoor.Prorat.AE
   •  Bitdefender: Backdoor.Prorat.1.9


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops malicious files
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\fservice.exe
   • %SYSDIR%\sservice.exe
   • %WINDIR%\services.exe



It deletes the initially executed copy of itself.



It deletes the following files:
   • %SYSDIR%\fservice.exe
   • %SYSDIR%\sservice.exe



The following files are created:

– %SYSDIR%\winkey.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Prorat.19.H

– %SYSDIR%\reginv.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Agent.co.2

– %WINDIR%\ktd32.atm This file contains collected keystrokes.
– %malware execution directory%\%executed file%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\software\microsoft\windows\currentversion\policies\explorer\
   Run]
   • "DirectX For Microsoft® Windows"="%SYSDIR%\fservice.exe"



The following registry keys are added:

– [HKCU\software\microsoft\Windows NT Script Host\Microsoft DxDiag\
   WinSettings]
   • "Bulas"="1"
   • "FW_KILL"="1"
   • "XP_FW_Disable="1"
   • "XP_SYS_Recovery"="1"
   • "ICQ_UIN"="qvro/on,hq/hogn"
   • "ICQ_UIN2"=""
   • "Kurban_Ismi"="whbuhl"
   • "Mail"=""
   • "Online_List"=""
   • "Port"="4001"
   • "Sifre"="ehbd547"
   • "Hata"=""
   • "KSil"="1"
   • "LanNotifie"=""
   • "Tport"="0"
   • "ServerVersionInt"="19"

– [HKLM\software\microsoft\Active Setup\Installed Components\
   {5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
   • "StubPath"="%SYSDIR%\sservice.exe"



The following registry keys are changed:

– [HKLM\software\microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe %SYSDIR%\fservice.exe"

 Process termination List of processes that are terminated:
   • _AVP32.EXE; _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; _SMC.EXE; ACKWIN32.EXE;
      ADMINTOOL.EXE; ADVXDWIN.EXE; AGENTA.EXE; AGENTSVR.EXE; ALERTSVC.EXE;
      ALG.EXE; ALOGSERV.EXE; AMON.EXE; AMON9X.EXE; ANTITROJ.EXE;
      ANTI-TROJAN.EXE; ANTIVIRUS.EXE; ANTS.EXE; APIMONITOR.EXE;
      APLICA32.EXE; APVXDWIN.EXE; ASHDISP.EXE; ASHQUICK.EXE; ATCON.EXE;
      ATGUARD.EXE; ATRO55EN.EXE; ATUPDATER.EXE; ATWATCH.EXE; ATWATCH.EXE;
      AUTOTRACE.EXE; AVCONSOL.EXE; AVCONSOL.EXE; AVENGINE.EXE; AVENGINE.EXE;
      AVGCC32.EXE; AVGCTRL.EXE; AVGNT.EXE; AVGSERV.EXE; AVGSERV9.EXE;
      AVGUARD.EXE; AVGW.EXE; AVKPOP.EXE; AVKSERV.EXE; AVKSERVICE.EXE;
      AVKWCTL.EXE; AVKWCTL9.EXE; AVP.EXE; AVP32.EXE; AVPCC.EXE; AVPCC.EXE;
      AVPM.EXE; AVSCHED32.EXE; AVSYNMGR.EXE; AVSYNMGR.EXE; AVWIN.EXE;
      AVWINNT.EXE; AVXGUI.EXE; AVXLIVE.EXE; AVXMONITOR9X.EXE;
      AVXMONITORNT.EXE; AVXQUAR.EXE; AVXW.EXE; BD_PROFESSIONAL.EXE;
      BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE; BISP.EXE; BLACKD.EXE;
      BLACKICE.EXE; BOOTSCAN.EXE; BOOTWARN.EXE; BORG2.EXE; BS120.EXE;
      CDP.EXE; CFGINTPR.EXE; CFGWIZ.EXE; CFIADMIN.EXE; CFIAUDIT.EXE;
      CFINET.EXE; CFINET32.EXE; CLAW95.EXE; CLAW95CF.EXE; CLEAN.EXE;
      CLEANER.EXE; CLEANER3.EXE; CLEANPC.EXE; CMGRDIAN.EXE; CMON016.EXE;
      CONNECTIONMONITOR.EXE; CPF9X206.EXE; CPFNT206.EXE; CTRL.EXE; CV.EXE;
      CWNB181.EXE; CWNTDWMO.EXE; DEFSCANGUI.EXE; DEFWATCH.EXE; DEPUTY.EXE;
      DOORS.EXE; DPATROL.EXE; DPF.EXE; DRWEB32.EXE; DRWEBSCD.EXE; DVP95.EXE;
      DVP95_0.EXE; ECENGINE.EXE; EFPEADM.EXE; ENT.EXE; ESAFE.EXE;
      ESCANH95.EXE; ESCANHNT.EXE; ESCANV95.EXE; ESPWATCH.EXE;
      ETRUSTCIPE.EXE; EVPN.EXE; EXANTIVIRUS-CNET.EXE; EXPERT.EXE;
      F-AGNT95.EXE; FAMEH32.EXE; FAST.EXE; FCH32.EXE; FIH32.EXE;
      FINDVIRU.EXE; FIREWALL.EXE; FLOWPROTECTOR.EXE; FNRB32.EXE; F-PROT.EXE;
      F-PROT95.EXE; FP-WIN.EXE; FRW.EXE; FSA.EXE; FSAA.EXE; FSAV.EXE;
      FSAV32.EXE; FSAV530STBYB.EXE; FSAVSTRT.EXE; FSM32.EXE; FSMA32.EXE;
      FSMB32.EXE; F-STOPW.EXE; GBMENU.EXE; GBPOLL.EXE; GENERICS.EXE;
      GLADIATOR.EXE; GUARD.EXE; GUARDDOG.EXE; GUARDER.EXE;
      HACKERELIMINATOR.EXE; HACKTRACERSETUP.EXE; HTLOG.EXE; HWPE.EXE;
      IAMAPP.EXE; IAMSERV.EXE; IAMSTATS.EXE; IBMASN.EXE; IBMAVSP.EXE;
      ICLOAD95.EXE; ICLOADNT.EXE; ICMON.EXE; ICSUPP95.EXE; ICSUPPNT.EXE;
      IFACE.EXE; IFW2000.EXE; IOMON98.EXE; IPARMOR.EXE; IRIS.EXE;
      ISRV95.EXE; JAMMER.EXE; JEDI.EXE; KAVLITE40ENG.EXE; KAVPERS40ENG.EXE;
      LDNETMON.EXE; LDPRO.EXE; LDPROMENU.EXE; LDSCAN.EXE; LOCKDOWN.EXE;
      LOCKDOWN2000.EXE; LOGMON.EXE; LOOKOUT.EXE; LUALL.EXE; LUAU.EXE;
      MCAGENT.EXE; MCMNHDLR.EXE; MCSHIELD.EXE; MCTOOL.EXE; MCVSRTE.EXE;
      MCVSSHLD.EXE; MFW2EN.EXE; MGAVRTCL.EXE; MGAVRTE.EXE; MGHTML.EXE;
      MGUI.EXE; MINILOG.EXE; MONITOR.EXE; MPFAGENT.EXE; MPFSERVICE.EXE;
      MPFTRAY.EXE; MPFTRAY.EXE; MSSMMC32.EXE; MU0311AD.EXE; MWATCH.EXE;
      N32SCANW.EXE; NAVAPW32.EXE; NAVDX.EXE; NAVLU32.EXE; NAVSTUB.EXE;
      NAVW32.EXE; NAVWNT.EXE; NC2000.EXE; NEOWATCHLOG.EXE; NEOWATCHTRAY.EXE;
      NETARMOR.EXE; NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE;
      NETSPYHUNTER-1.2.EXE; NETUTILS.EXE; NIP.EXE; NISSERV.EXE; NISUM.EXE;
      NOD32.EXE; NORMIST.EXE; NPF40_TW_98_NT_ME_2K.EXE; NPFMESSENGER.EXE;
      NPSSVC.EXE; NSCHED32.EXE; NTRTSCAN.EXE; NTVDM.EXE; NTXCONFIG.EXE;
      NUI.EXE; NVARCH16.EXE; NVC95.EXE; NWSERVICE.EXE; NWTOOL16.EXE;
      NYMSE.EXE; OSTRONET.EXE; OUTPOST.EXE; PADMIN.EXE; PANIXK.EXE;
      PAVCL.EXE; PAVFIRES.EXE; PAVPROXY.EXE; PAVPRSRV.EXE; PAVSRV51.EXE;
      PAVW.EXE; PCC2002S902.EXE; PCC2K_76_1436.EXE; PCCCLIENT.EXE;
      PCCGUIDE.EXE; PCCIOMON.EXE; PCCNTMON.EXE; PCCPFW.EXE; PCCWIN97.EXE;
      PCCWIN98.EXE; PCFWALLICON.EXE; PCSCAN.EXE; PERISCOPE.EXE; PERSFW.EXE;
      PF2.EXE; PFWADMIN.EXE; PINGSCAN.EXE; PLATIN.EXE; POP3TRAP.EXE;
      POPROXY.EXE; PORTDETECTIVE.EXE; PORTMONITOR.EXE; PPTBC.EXE;
      PPVSTOP.EXE; PROCMAN.EXE; PROGRAMAUDITOR.EXE; PROPORT.EXE;
      PROTECTX.EXE; PSPF.EXE; PURGE.EXE; PVIEW95.EXE; QCONSOLE.EXE;
      QSERVER.EXE; RAPAPP.EXE; RAV7.EXE; RAV7WIN.EXE; RAV8WIN32ENG.EXE;
      RAVMON.EXE; RAVWIN8.EXE; REALMON.EXE; REGSHOT.EXE; RMVTRJAN.EXE;
      RRGUARD.EXE; RSHELL.EXE; RTVSCN95.EXE; RULAUNCH.EXE; SAFEWEB.EXE;
      SBSERV.EXE; SCAN.EXE; SCAN32.EXE; SCANPM.EXE; SCRSCAN.EXE; SD.EXE;
      SFC.EXE; SGSSFW32.EXE; SH.EXE; SHN.EXE; SMC.EXE; SOFI.EXE; SPF.EXE;
      SPFW.EXE; SPHINX.EXE; SPYXX.EXE; SS3EDIT.EXE; ST.EXE; ST2.EXE;
      SUPFTRL.EXE; SUPPORTER5.EXE; SWEEP95.EXE; SWNETSUP.EXE;
      SYMPROXYSVC.EXE; TASKALERT.EXE; TAUMON.EXE; TAUSCAN.EXE; TBSCAN.EXE;
      TC.EXE; TCA.EXE; TCM.EXE; TDS2-98.EXE; TDS2-NT.EXE; TDS-3.EXE;
      TFAK.EXE; TFAK5.EXE; TGBOB.EXE; THGUARD.EXE; TITANIN.EXE;
      TITANINXP.EXE; TRJSCAN.EXE; TROJAN.EXE; TROJANHUNTER.EXE;
      TROJANTRAP3.EXE; TUCONF.EXE; UMXAGENT.EXE; UMXLDRA.EXE; V530WTBYB.EXE;
      V95.EXE; VBCONS.EXE; VBUST.EXE; VBWIN9X.EXE; VBWINNTW.EXE; VET32.EXE;
      VET95.EXE; VETTRAY.EXE; VIR-HELP.EXE; VNLAN300.EXE; VNPC3000.EXE;
      VPC32.EXE; VPC42.EXE; VPFW30S.EXE; VPTRAY.EXE; VPTRAY.EXE;
      VSCAN40.EXE; VSCHED.EXE; VSECOM.EXE; VSHWIN32.EXE; VSHWIN32.EXE;
      VSMAIN.EXE; VSMAIN.EXE; VSMON.EXE; VSSTAT.EXE; VSSTAT.EXE;
      WATCHDOG.EXE; WATCHER.EXE; WEBSCANX.EXE; WEBTRAP.EXE; WFINDV32.EXE;
      WGFE95.EXE; WIMMUN32.EXE; WINGATE.EXE; WINRECON.EXE; WINROUTE.EXE;
      WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE; XCOMMSVR.EXE;
      XPF202EN.EXE; ZAPRO.EXE; ZATUTOR.EXE; ZONALM2601.EXE; ZONEALARM.EXE


List of services that are disabled:
   • System Restore
   • Internet Connection Firewall (Windows Firewall)/Internet Connection Sharing
   • Norton AntiVirus Auto-Protect Service

 Backdoor The following ports are opened:

– %WINDIR%\services.exe on TCP port 5110 in order to provide backdoor capabilities.
– %WINDIR%\services.exe on TCP port 5112 in order to provide an FTP server.
– %WINDIR%\services.exe on TCP port 51100 in order to provide an FTP server.


Contact server:
All of the following:
   • pwsn.no-ip.info:41100
   • pwsn.no-ip.info:4112
   • pwsn.no-ip.info:4110

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection.

Sends information about:
    • Computer name
    • CPU speed
    • CPU type
    • IP address
    • Current malware status
    • Information about the network
    • Opened port
    • Information about running processes
    • System time
    • Username
    • Users' local activity
    • visited URLs
    • Information about the Windows operating system


Remote control capabilities:
    • Directory listing
    • Download file
    • Edit registry
    • Execute file
    • Restart system
    • Send emails
    • Shut down system
    • Terminate process

 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • CuteFTP
   • CuteFTP Pro
   • FlashFXP
   • Outlook Express
   • ICQ
   • Trillian
   • MSN Messenger
   • Yahoo!
   • NetMeeting

– A logging routine is started after keystrokes are typed that match the following string:
   • %any key%

– It captures:
    • Keystrokes
    • Window information

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own registry keys


Method used:
    • Hidden from Windows API

 File details Programming language:
The malware program was written in Borland C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • Morphine
   • UPX

Description inserted by Iulia Diaconescu on Wednesday, March 15, 2006
Description updated by Iulia Diaconescu on Monday, March 20, 2006

Back . . . .