W32/Protorid-AB is a network worm for the Windows platform.
The worm spreads through network shares and via the RPC-DCOM vulnerability. When spreading through networks, the worm may use the filenames comand.exe or internat.exe
W32/Protorid-AB joins a predefined IRC channel and awaits further commands from a remote user.
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Protorid-AB (detected as W32/Protori-Fam) since version 3.81.
W32/Protorid-AB is a network worm for the Windows platform.
When first run, the worm creates the following registry entries in order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Taskbar Manager
"<path to worm>"
The worm spreads through network shares and via the RPC-DCOM vulnerability. When spreading through networks, the worm may use the filenames comand.exe or internat.exe and attempts to copy itself into remote folders with paths containing:
\Documents and Settings\All Users\KSynnistS-valikko\Ohjelmat
\Documents and Settings\All Users\Men
\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
\Documents and Settings\All Users\Menu DTmarrer\Programmes\DTmarrage\
\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\
\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
\Documents and Settings\All Users\Menu Start\Programy\Autostart\
\Documents and Settings\All Users\Menuen Start\Programmer\Start\
\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
\Documents and Settings\All Users\Start-menyn\Program\Autostart\
\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI¦\
\Documents and Settings\All Users\Start Menu\Programs\StartUp\
\Dokumente und Einstellungen\All Users\Startmen
\KSynnistys\
\Programme\Autostart\
\Programme\Autostart\
\Programme\Autostart\
\Programme\Autostart\
\Programme\Autostart\
\Programme\Autostart\
\WIN95\KSynnistS-valikko\Ohjelmat\KSynnistys\
\WIN95\Men
\WIN95\Menu Avvio\Programmi\Esecuzione automatica\
\WIN95\Menu DTmarrer\Programmes\DTmarrage\
\WIN95\Menu Iniciar\Programas\Iniciar\
\WIN95\Menu Start\Programma's\Opstarten\
\WIN95\Menu Start\Programy\Autostart\
\WIN95\Menuen Start\Programmer\Start\
\WIN95\Start-meny\Programmer\Oppstart\
\WIN95\Start-menyn\Program\Autostart\
\WIN95\Start Menu\Programlar\BASLANGI¦\
\WIN95\Start Menu\Programs\StartUp\
\WIN95\Startmenu
\WIN98\KSynnistS-valikko\Ohjelmat\KSynnistys\
\WIN98\Men
\WIN98\Menu Avvio\Programmi\Esecuzione automatica\
\WIN98\Menu DTmarrer\Programmes\DTmarrage\
\WIN98\Menu Iniciar\Programas\Iniciar\
\WIN98\Menu Start\Programma's\Opstarten\
\WIN98\Menu Start\Programy\Autostart\
\WIN98\Menuen Start\Programmer\Start\
\WIN98\Start-meny\Programmer\Oppstart\
\WIN98\Start-menyn\Program\Autostart\
\WIN98\Start Menu\Programlar\BASLANGI¦\
\WIN98\Start Menu\Programs\StartUp\
\WIN98\Startmen
\WINDOWS.000\Men
\WINDOWS.000\Menu Iniciar\Programas\Iniciar\
\WINDOWS.000\Start Menu\Programs\StartUp\
\WINDOWS.000\Startmenu
\WINDOWS\KSynnistS-valikko\Ohjelmat\KSynnistys\
\WINDOWS\Men
\WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\
\WINDOWS\Menu DTmarrer\Programmes\DTmarrage\
\WINDOWS\Menu Iniciar\Programas\Iniciar\
\WINDOWS\Menu Start\Programma's\Opstarten\
\WINDOWS\Menu Start\Programy\Autostart\
\WINDOWS\Menuen Start\Programmer\Start\
\WINDOWS\Start-meny\Programmer\Oppstart\
\WINDOWS\Start-menyn\Program\Autostart\
\WINDOWS\Start Menu\Programlar\BASLANGI¦\
\WINDOWS\Start Menu\Programs\StartUp\
\WINDOWS\Startmen
\WINME\KSynnistS-valikko\Ohjelmat\KSynnistys\
\WINME\Men
\WINME\Menu Avvio\Programmi\Esecuzione automatica\
\WINME\Menu DTmarrer\Programmes\DTmarrage\
\WINME\Menu Iniciar\Programas\Iniciar\
\WINME\Menu Start\Programma's\Opstarten\
\WINME\Menu Start\Programy\Autostart\
\WINME\Menuen Start\Programmer\Start\
\WINME\Start-meny\Programmer\Oppstart\
\WINME\Start-menyn\Program\Autostart\
\WINME\Start Menu\Programlar\BASLANGI¦\
\WINME\Start Menu\Programs\StartUp\
\WINME\Startmen
Inicio\Programas\Inicio\
W32/Protorid-AB joins a predefined IRC channel and awaits further commands from a remote user. The backdoor component can then be instructed to perform the following:
take part in distributed denial of service (DDoS) attacks
upload/download files
list/terminate processes
report system hardware specifications
report operating system information
read/modify the system registry
scan networks for vulnerabilities
start a proxy server
A patch is available from Microsoft for the RPC-DCOM vulnerability at:
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Protorid-AB (detected as W32/Protori-Fam) since version 3.81.