W32/PPDoor-R

Please follow the instructions for removing worms.

W32/PPdoor-R is a worm with backdoor functionality for the Windows platform.

W32/PPdoor-R spreads by copying itself to network shares protected by weak passwords.

The backdoor component of W32/PPDoor-R listens for further commands from a remote user. W32/PPdoor-R may also act as a SOCKS, mail and P2P proxy.

W32/PPdoor-R includes functionality to access the internet and communicate with a remote server via HTTP.

When W32/PPdoor-R is installed the following files are created:

<Windows system folder>\arpo412.exe
<Windows system folder>\mqadonfg.dll
<Windows system folder>\winrpmsg.dll
<Windows system folder>\wndfxyfi.dll
<Windows system folder>\hgakheg.dll
<Windows system folder>\vjoytl32.dll

Arpo412.exe, mqadonfg.dll and winrpmsg.dll are detected as W32/PPdoor-R. wndfxyfi.dll, hgakheg.dll and vjoytl32.dll are harmless data file that may be safely deleted.

The following registry entries are created to run arpo412.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shedule Connection
<Windows system folder>\arpo412.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Shedule Connection
<Windows system folder>\arpo412.exe

The following registry entry is changed to run arpo412.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows system folder>\userinit.exe,<Windows system folder>\arpo412.exe

(the default value for this registry entry is "<Windows folder>\System32\userinit.exe,").

The following registry entry is created to run code exported by the Trojan library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
Shedule WebControl
{542B4183-DA4E-478D-9C92-211A13EDFAEA}

The file mqadonfg.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\{542B4183-DA4E-478D-9C92-211A13EDFAEA}

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe,arpo412.exe