The Trojan attempts to download additional components from a remote site.
When first run, Troj/Prorat-H copies itself into: %Windows%\_dxdiag.exe%system32%\_dxdiag.exe
The Trojan also drops additional executable files into the system32 folder:
_mps.exe, _fps.exe, _icq.dll, _key.dll, _pnc.exe
The information stolen by above executable will be stored in following log files:
_fps.dat, _mps.dat, _key.dat, _pnc.dat
In order to run automatically when Windows starts up Troj/Prorat-H creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer\Run\Microsoft DirectX Diagnostic Tool=C:\WINDOWS\dxdiag.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell=Explorer.exe C:\WINDOWS\dxdiag.exe.
Troj/Prorat-H creates or modifies several registry entries under:
HKCU\Software\Microsoft DirectX\
HKLM\Software\Microsoft\Active Setup\Installed Components\
(BTT9AE78-87RT-11dW-2944-FF034297)\
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\