high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 2 November 2004 23:13:15 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Prorat-J is a multi-component backdoor Trojan.
Troj/Prorat-J initially drops and opens the files INCOM_.TXT and INCOM.EXE in the Windows system folder. INCOM_.TXT is a clean text file containing a message in Turkish. INCOM.EXE is another part of the Trojan that is also detected as Troj/Prorat-J. This initial dropper component may also drop and run a batch script with the same filename as itself in order to delete itself.
Troj/Prorat-J then copies itself to the Windows folder with the filename SERVICES.EXE, to the "system" Windows subfolder with the filename SSERVICE.EXE and to the "system32" subfolder with the filename FSERVICE.EXE. Troj/Prorat-J then sets the following registry entries so as to run these copies on system startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[5Y99AE78-58TT-11dW-BE53-Y67078979Y]\
StubPath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
DirectX For Microsoft(R) Windows
Troj/Prorat-J also sets the following registry entry so as to run itself through EXPLORER.EXE on system startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Troj/Prorat-J may attempt to set the following registry entry so as to disable Task Manager:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableTaskMgr = 1
Troj/Prorat-J sets a number of entries at the following location in the registry to determine how it will behave:
HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Troj/Prorat-J drops the file REGINV.DLL to the Windows system folder and this file is also detected as Troj/Prorat-J. This component provides stealthing and makes it difficult to detect and delete the Trojan on disk and in the registry.
Troj/Prorat-J drops the file WINKEY.DLL to the Windows system folder and this file is detected as Troj/Prorat-H. This component provides keylogging.
Troj/Prorat-J may also attempt to drop a file detected as Troj/LdPinch-AG.
Troj/Prorat-J drops another Turkish text file to the KTD32.ATM in the Windows folder.
Troj/Prorat-J may create log files in the Windows temp folder.
Troj/Prorat-J may attempt to terminate certain windows, processes and services related to anti-virus or security software. This includes attempting to stop the following services and preventing them from running on system startup so as to interfere with the Windows XP firewall and the XP system recovery:
WSCSVC
SharedAccess
SRSERVICE
Troj/Prorat-J may attempt to download a number of files from remote websites.
Troj/Prorat-J sends information about the infected computer, including the results of the keylogging, in the form of an email from ProRat@Yahoo.Com to tarco1@yahoo.com.
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against the main component of Troj/Prorat-J (detected as Troj/Prorat-Fam) since version 3.87.
.
|
