W32/Protoride-H is a Windows worm that spreads via network shares. The worm also has a backdoor component that allows a malicious user remote access to an infected computer via the IRC network. This worm can also copy itself into the shared folders of several peer-to-peer (P2P) file sharing utilities.
This worm will copy itself into the Windows system folder as INTERNAT.EXE and set the following registry entries so that it is executed automatically upon restart:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"" = \"%1\" %*
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Taskbar Manager = C:\<Windows system>\internat.exe
In order to run automatically when Windows starts up the worm may change the following registry entry so that it is executed before any EXE files:
HKCR\exefile\shell\open\command\
"" = C:\<full file path> "%1 %*"
W32/Protoride-H is also capable of scanning the network and will attempt to copy itself to the following folders on unprotected shares:
\WINDOWS\Menu Iniciar\Programas\Iniciar\
\WIN98\Menu Iniciar\Programas\Iniciar\
\WINME\Menu Iniciar\Programas\Iniciar\
\WIN95\Menu Iniciar\Programas\Iniciar\
\WINDOWS.000\Menu Iniciar\Programas\Iniciar\
\WINDOWS\Start Menu\Programs\StartUp\
\WIN98\Start Menu\Programs\StartUp\
\WINME\Start Menu\Programs\StartUp\
\WIN95\Start Menu\Programs\StartUp\
\WINDOWS.000\Start Menu\Programs\StartUp\
\Documents and Settings\All Users\Start Menu\Programs\StartUp\
\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\
\Documents and Settings\All Users\Menuen Start\Programmer\Start\
\WINDOWS\Menuen Start\Programmer\Start\
\WIN98\Menuen Start\Programmer\Start\
\WINME\Menuen Start\Programmer\Start\
\WIN95\Menuen Start\Programmer\Start\
\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
\WINDOWS\Menu Start\Programma's\Opstarten\
\WIN98\Menu Start\Programma's\Opstarten\
\WINME\Menu Start\Programma's\Opstarten\
\WIN95\Menu Start\Programma's\Opstarten\
\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI
\WINDOWS\Start Menu\Programlar\BASLANGI
\WIN98\Start Menu\Programlar\BASLANGI
\WINME\Start Menu\Programlar\BASLANGI
\WIN95\Start Menu\Programlar\BASLANGI
\Documents and Settings\All Users\Menu Start\Programy\Autostart\
\WINDOWS\Menu Start\Programy\Autostart\
\WIN98\Menu Start\Programy\Autostart\
\WINME\Menu Start\Programy\Autostart\
\WIN95\Menu Start\Programy\Autostart\
\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
\WINDOWS\Start-meny\Programmer\Oppstart\
\WIN98\Start-meny\Programmer\Oppstart\
\WINME\Start-meny\Programmer\Oppstart\
\WIN95\Start-meny\Programmer\Oppstart\
\Documents and Settings\All Users\Start-menyn\Program\Autostart\
\WINDOWS\Start-menyn\Program\Autostart\
\WIN98\Start-menyn\Program\Autostart\
\WINME\Start-menyn\Program\Autostart\
\WIN95\Start-menyn\Program\Autostart\
\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
\WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\
\WIN98\Menu Avvio\Programmi\Esecuzione automatica\
\WINME\Menu Avvio\Programmi\Esecuzione automatica\
\WIN95\Menu Avvio\Programmi\Esecuzione automatica
W32/Protoride-H may also set the registry entry:
HKLM\Software\BeyonD inDustries\ProtoType[v3]