Troj/Prorat-D

Aliases	Backdoor.Prorat.15
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	16 March 2004 15:23:46 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Active Setup\Installed Components\
[5Y99AE78-58TT-11dW-BE53-Y67078979Y]\
StubPath = C:\\

HKLM\Software\Microsoft\Active Setup\Installed Components\
[A75aed00-d7bf-11d1-9947-00c0Cf98bbc9]\
StubPath = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
DirectX for Microsoft Windows = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows Reg Services = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = C:\<Windows System>\<filename>

and delete them if they exist.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove the reference to C:\<Windows System>\<filename>. Do not remove the reference to explorer.exe.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\
Run\Windows Reg Services = C:\<Windows System>\<filename>

and delete it if it exists.

Close the registry editor.

Editing SYSTEM.INI and WIN.INI

At the taskbar, click Start|Run and type Sysedit.

Bring System.ini to the front. In the 'shell=' line in the [Boot] section, search for any references to the files you deleted. Delete only that reference, not any other text.
Bring Win.ini to the front. In the [windows] section, search for a line beginning with 'Run=' and delete any references to the files you removed. Delete only that reference, not any other text.

Reboot your computer.

More Information

Summary
Action
More Information

Troj/Prorat-D is a backdoor Trojan which may allow unauthorised access and control of the computer from a remote network location.

Upon execution, Troj/Prorat-D drops copies of itself into the Windows System or System32 folder using one or more of the filenames FSERVICE.EXE, FFSERVICE.EXE, DSERVICE.EXE, LSERVICE.EXE, SSERVICE.EXE and WSERVICE.EXE.

Troj/Prorat-D adds the following registry entries so that it is run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = C:\<Windows System>\<filename>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = Explorer.exe C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows Reg Services = C:\<Windows System>\<filename>
DirectX for Microsoft Windows = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Active Setup\Installed Components\
[A75aed00-d7bf-11d1-9947-00c0Cf98bbc9]\
StubPath = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Active Setup\Installed Components\
[5Y99AE78-58TT-11dW-BE53-Y67078979Y]\
StubPath = C:\<Windows System>\<filename>

This Trojan may also attempt to download and install the file http://members.lycos.co.uk/kabloboy/XP_Update v1.5.3.exe.

This will be copied into the Windows folder under WINLOGON.EXE.

This program will drop the file WINKEY.DLL into the Windows System folder and create the following registry entry:

HKCU\Software\Microsoft DirectX\WinSettings\

Troj/Prorat-C is embedded within WINKEY.DLL.

The downloaded file will also change the value in the [boot] and [windows] sections of the files SYSTEM.INI and WIN.INI (respectively), in the Windows folder by including the path to a copy of the original file, e.g.

File : SYSTEM.INI
Section : boot
Parameter : shell
(New) Value : EXPLORER.EXE C:\<Windows System>\<filename>

File : WIN.INI
Section : windows
Parameter : run
(New) Value : C:\<Windows System>\<filename>

Troj/Prorat-D may also employ counter-removal tricks so that it becomes difficult to terminate the Trojan process.

Furthermore the Trojan may monitor the registry entries above such that the entries are restored immediately if changed.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Prorat-D

Summary

Action

More Information