Full description

Virus:	BDS/Prorat.RC
Date discovered:	30/06/2005
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	350.764 Bytes
MD5 checksum:	3648ef98f2bfba463fd46f8180d267c5
VDF version:	6.31.00.124

General Method of propagation:
   • No own spreading routine

Aliases:
   • Mcafee: BackDoor-AVW
   • Kaspersky: Backdoor.Win32.Prorat.19.i
   • TrendMicro: BKDR_PRORAT.I
   • Sophos: Troj/Prorat-19
   • Grisoft: BackDoor.Prorat.2.BC
   • VirusBuster: trojan Backdoor.Prorat.AR1
   • Bitdefender: Backdoor.Prorat.19

It was previously detected as:
   • TR/Dldr.Small.rc.1

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

Right after execution the following information is displayed:

Files It copies itself to the following locations:
   • %SYSDIR%\fservice.exe
   • %SYSDIR%\sservice.exe
   • %WINDIR%\services.exe

The following files are created:

– %SYSDIR%\winkey.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Prorat.19.I.3

– %SYSDIR%\reginv.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Agent.co.2

– %WINDIR%\ktd32.atm This file contains collected keystrokes.

Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

– [HKLM\software\microsoft\windows\currentversion\policies\explorer\
   Run]
   • "DirectX For Microsoft® Windows"="%SYSDIR%\fservice.exe"

– [HKLM\software\microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe %SYSDIR%\fservice.exe"

The following registry keys are added:

– [HKCU\software\microsoft\Windows NT Script Host\Microsoft DxDiag\
   WinSettings]
   • "LanNotifie" = ""
   • "KSil" = "0"
   • "Hata" = "Invalid memory block address"
   • "Sifre" = "ln{`su"
   • "Port" = "4008"
   • "Online_List" = ""
   • "Mail" = "bishrhrbs`{x0101Ax`inn/bnl"
   • "Kurban_Ismi" = "trds"
   • "ICQ_UIN2" = ""
   • "ICQ_UIN" = "gtrhnovdc/on,hq/hogn"
   • "XP_SYS_Recovery" = "1"
   • "XP_FW_Disable" = "1"
   • "FW_KILL" = "1"
   • "Bulas" = "1"

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
   • "StubPath"="%SYSDIR%\sservice.exe"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   • "Group"=""

The following registry keys are changed:

– [HKLM\software\microsoft\\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe %SYSDIR%\fservice.exe"

Deactivate Windows Firewall:
– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

From:
The sender of the email is the following:
   • ProRat V1.9:Fix-10 <ProRat@Yahoo.Com>

To:
The recipient of the email is the following:
   • chrisiscrazy1010@yahoo.com

Subject:
The following:
   • ProRat [user Online]

Body:
The body of the email is the following:

   • [ProRat V1.9:Fix-10]
     Victim is Online.
     IP Address(es) :
     %current ip address%

     Port :5119
     Password :mozart
     Victim name :user
     User name :%current username%
     Computer Name :%computer name%
     Date :%current date%
     Time :%current hour%

The email looks like the following:

Process termination List of processes that are terminated:
   • _AVP32.EXE; _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; _SMC.EXE; ACKWN32.EXE;
      ADMNTOOL.EXE; ADVXDWN.EXE; AGENTA.EXE; AGENTSVR.EXE; ALERTSVC.EXE;
      ALG.EXE; ALOGSERV.EXE; AMAPP.EXE; AMON.EXE; AMON9X.EXE; AMSERV.EXE;
      AMSTATS.EXE; ANTS.EXE; ANTTROJ.EXE; ANT-TROJAN.EXE; ANTVRUS.EXE;
      APLCA32.EXE; APMONTOR.EXE; APVXDWN.EXE; ASHDSP.EXE; ASHQUCK.EXE;
      ATC¿N.EXE; ATGUARD.EXE; ATRO55EN.EXE; ATUPDATER.EXE; ATWATCH.EXE;
      ATWATCH.EXE; AUTOTRACE.EXE; AVCONSOL.EXE; AVCONSOL.EXE; AVENGNE.EXE;
      AVGCC32.EXE; AVGCTRL.EXE; AVGNT.EXE; AVGSERV.EXE; AVGSERV9.EXE;
      AVGUARD.EXE; AVGW.EXE; AVKPOP.EXE; AVKSERV.EXE; AVKSERVCE.EXE;
      AVKWCTL.EXE; AVKWCTL9.EXE; AVP.EXE; AVP32.EXE; AVPCC.EXE; AVPCC.EXE;
      AVPM.EXE; AVPRSRV.EX; AVSCHED32.EXE; AVSYNMGR.EXE; AVSYNMGR.EXE;
      AVWN.EXE; AVWNNT.EXE; AVXGU.EXE; AVXLVE.EXE; AVXMONTOR9X.EXE;
      AVXMONTORNT.EXE; AVXQUAR.EXE; AVXW.EXE; BD_PROFESSONAL.EXE; BDEF.EXE;
      BDSERVER.EXE; BLACKCE.EXE; BLACKD.EXE; BMASN.EXE; BMAVSP.EXE;
      BOOTSCAN.EXE; BOOTWARN.EXE; BORG2.EXE; BPCP.EXE; BS120.EXE; BSP.EXE;
      CDP.EXE; CFADMN.EXE; CFAUDT.EXE; CFGNTPR.EXE; CFGWZ.EXE; CFNET.EXE;
      CFNET32.EXE; CLAW95.EXE; CLAW95CF.EXE; CLEAN.EXE; CLEANER.EXE;
      CLEANER3.EXE; CLEANPC.EXE; CLOAD95.EXE; CLOADNT.EXE; CMGRDAN.EXE;
      CMON.EXE; CMON016.EXE; CONNECTONMONTOR.EXE; CPF9X206.EXE;
      CPFNT206.EXE; CSUPP95.EXE; CSUPPNT.EXE; CTRL.EXE; CV.EXE; CWNB181.EXE;
      CWNTDWMO.EXE; DEFSCANGU.EXE; DEFWATCH.EXE; DEPUTY.EXE; DOORS.EXE;
      DPATROL.EXE; DPF.EXE; DRWEB32.EXE; DRWEBSCD.EXE; DVP95.EXE;
      DVP95_0.EXE; ECENGNE.EXE; EFPEADM.EXE; ENT.EXE; ESAFE.EXE;
      ESCANH95.EXE; ESCANHNT.EXE; ESCANV95.EXE; ESPWATCH.EXE; ETRUSTCPE.EXE;
      EVPN.EXE; EXANTVRUS-CNET.EXE; EXPERT.EXE; FACE.EXE; F-AGNT95.EXE;
      FAMEH32.EXE; FAST.EXE; FCH32.EXE; FH32.EXE; FLOWPROTECTOR.EXE;
      FNDVRU.EXE; FNRB32.EXE; F-PROT.EXE; F-PROT95.EXE; FP-WN.EXE;
      FREWALL.EXE; FRW.EXE; FSA.EXE; FSAA.EXE; FSAV.EXE; FSAV32.EXE;
      FSAV530STBYB.EXE; FSAVSTRT.EXE; FSM32.EXE; FSMA32.EXE; FSMB32.EXE;
      F-STOPW.EXE; FW2000.EXE; GBMENU.EXE; GBPOLL.EXE; GENERCS.EXE;
      GLADATOR.EXE; GUARD.EXE; GUARDDOG.EXE; GUARDER.EXE;
      HACKERELMNATOR.EXE; HACKTRACERSETUP.EXE; HTLOG.EXE; HWPE.EXE;
      JAMMER.EXE; JED.EXE; KAVLTE40ENG.EXE; KAVPERS40ENG.EXE; LDNETMON.EXE;
      LDPRO.EXE; LDPROMENU.EXE; LDSCAN.EXE; LOCKDOWN.EXE; LOCKDOWN2000.EXE;
      LOGMON.EXE; LOOKOUT.EXE; LUALL.EXE; LUAU.EXE; MCAGENT.EXE;
      MCMNHDLR.EXE; MCSHELD.EXE; MCTOOL.EXE; MCVSRTE.EXE; MCVSSHLD.EXE;
      MFW2EN.EXE; MGAVRTCL.EXE; MGAVRTE.EXE; MGHTML.EXE; MGU.EXE; MNLOG.EXE;
      MONTOR.EXE; MPFAGENT.EXE; MPFSERVCE.EXE; MPFTRAY.EXE; MPFTRAY.EXE;
      MSSMMC32.EXE; MU0311AD.EXE; MWATCH.EXE; N32SCANW.EXE; NAVAPW32.EXE;
      NAVDX.EXE; NAVLU32.EXE; NAVSTUB.EXE; NAVW32.EXE; NAVWNT.EXE;
      NC2000.EXE; NEOWATCHLOG.EXE; NEOWATCHTRAY.EXE; NETARMOR.EXE;
      NETMON.EXE; NETNFO.EXE; NETSCANPRO.EXE; NETSPYHUNTER-1.2.EXE;
      NETUTLS.EXE; NOD32.EXE; NORMST.EXE; NP.EXE; NPF40_TW_98_NT_ME_2K.EXE;
      NPFMESSENGER.EXE; NPSSVC.EXE; NSCHED32.EXE; NSSERV.EXE; NSUM.EXE;
      NTRTSCAN.EXE; NTVDM.EXE; NTXCONFG.EXE; NU.EXE; NVARCH16.EXE;
      NVC95.EXE; NWSERVCE.EXE; NWTOOL16.EXE; NYMSE.EXE; OMON98.EXE;
      OSTRONET.EXE; OUTPOST.EXE; P SPF.EXE; PADMN.EXE; PANXK.EXE;
      PARMOR.EXE; PAVCL.EXE; PAVFRES.EXE; PAVPROXY.EXE; PAVSRV51.EXE;
      PAVW.EXE; PCC2002S902.EXE; PCC2K_76_1436.EXE; PCCCLENT.EXE;
      PCCGUDE.EXE; PCCNTMON.EXE; PCCOMON.EXE; PCCPFW.EXE; PCCWN97.EXE;
      PCCWN98.EXE; PCFWALLCON.EXE; PCSCAN.EXE; PERSCOPE.EXE; PERSFW.EXE;
      PF2.EXE; PFWADMN.EXE; PLATN.EXE; PNGSCAN.EXE; POP3TRAP.EXE;
      POPROXY.EXE; PORTDETECTVE.EXE; PORTMONTOR.EXE; PPTBC.EXE; PPVSTOP.EXE;
      PROCMAN.EXE; PROGRAMAUDTOR.EXE; PROPORT.EXE; PROTECTX.EXE; PURGE.EXE;
      PVEW95.EXE; QCONSOLE.EXE; QSERVER.EXE; RAPAPP.EXE; RAV7.EXE;
      RAV7WN.EXE; RAV8WN32ENG.EXE; RAVMON.EXE; RAVWN8.EXE; REALMON.EXE;
      REGSHOT.EXE; RMVTRJAN.EXE; RRGUARD.EXE; RS.EXE; RSHELL.EXE;
      RTVSCN95.EXE; RULAUNCH.EXE; SAFEWEB.EXE; SBSERV.EXE; SCAN.EXE;
      SCAN32.EXE; SCANPM.EXE; SCRSCAN.EXE; SD.EXE; SFC.EXE; SGSSFW32.EXE;
      SH.EXE; SHN.EXE; SMC.EXE; SOF.EXE; SPF.EXE; SPFW.EXE; SPHNX.EXE;
      SPYXX.EXE; SRV95.EXE; SS3EDT.EXE; ST.EXE; ST2.EXE; SUPFTRL.EXE;
      SUPPORTER5.EXE; SWEEP95.EXE; SWNETSUP.EXE; SYMPROXYSVC.EXE;
      TASKALERT.EXE; TAUMON.EXE; TAUSCAN.EXE; TBSCAN.EXE; TC.EXE; TCA.EXE;
      TCM.EXE; TDS2-98.EXE; TDS2-NT.EXE; TDS-3.EXE; TFAK.EXE; TFAK5.EXE;
      TGBOB.EXE; THGUARD.EXE; TRJSCAN.EXE; TROJAN.EXE; TROJANHUNTER.EXE;
      TROJANTRAP3.EXE; TTANN.EXE; TTANNXP.EXE; TUCONF.EXE; UMXAGENT.EXE;
      UMXLDRA.EXE; V530WTBYB.EXE; V95.EXE; VBCONS.EXE; VBUST.EXE;
      VBWN9X.EXE; VBWNNTW.EXE; VENGNE.EX; VET32.EXE; VET95.EXE; VETTRAY.EXE;
      VNLAN300.EXE; VNPC3000.EXE; VPC32.EXE; VPC42.EXE; VPFW30S.EXE; VPTR
      AY.EXE; VPTRAY.EXE; VR-HELP.EXE; VSCAN40.EXE; VSCHED.EXE; VSECOM.EXE;
      VSHWN32.EXE; VSHWN32.EXE; VSMAN.EXE; VSMAN.EXE; VSMON.EXE; VSSTAT.EXE;
      VSSTAT.EXE; WATCHDOG.EXE; WATCHER.EXE; WEBSCANX.EXE; WEBTRAP.EXE;
      WFNDV32.EXE; WGFE95.EXE; WMMUN32.EXE; WNGATE.EXE; WNRECON.EXE;
      WNROUTE.EXE; WNT.EXE; WRADMN.EXE; WRCTRL.EXE; WSBGATE.EXE;
      XCOMMSVR.EXE; XPF202EN.EXE; ZAPRO.EXE; ZATUTOR.EXE; ZAUNST.EXE;
      ZONALM2601.EXE; ZONEALARM.EXE

List of services that are disabled:
   • System Restore
   • Internet Connection Firewall (Windows Firewall)/Internet Connection Sharing
   • Norton AntiVirus Auto-Protect Service (navapsvc)

Backdoor The following ports are opened:

– %WINDIR%\services.exe on TCP port 5119 in order to provide backdoor capabilities.
– %WINDIR%\services.exe on TCP port 5112 in order to provide an FTP server.
– %WINDIR%\services.exe on TCP port 51100 in order to provide an FTP server.

Contact server:
One of the following:
   • fusionweb.no-ip**********:41100
   • fusionweb.no-ip**********:4110
   • fusionweb.no-ip**********:4112
   • fusionweb.no-ip**********:41100

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection.

Remote control capabilities:
    • Directory listing
    • Download file
    • Edit registry
    • Execute file
    • Open remote shell
    • Send emails

Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • CuteFTP
   • FlashFXP

– A logging routine is started after keystrokes are typed that match the following string:
   • %any key%

– It captures:
    • Keystrokes
    • Window information

Miscellaneous String:
Furthermore it contains the following string:
• [ ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey ]

Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own registry keys

Method used:
• Hidden from Windows API

File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Daniel Constantin on Wednesday, March 15, 2006
Description updated by Daniel Constantin on Tuesday, March 21, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools