W32/Protorid-AD

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares Chat programs
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	18 April 2005 07:17:31 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Protorid-AD is a Windows worm that spreads via network shares. The worm also has a backdoor component that allows a malicious user remote access to an infected computer via the IRC network.

The worm may set the following registry entries so that it is executed automatically upon restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Taskbar Manager
<path to EXE>

The worm may also set the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
@
"%1" %*

W32/Protorid-AD is also capable of scanning the network and will attempt to copy itself as INTERNAT.EXE in the startup folder of shared network computers:

\Documents and Settings\All Users\Start Menu\Programs\StartUp
\WINDOWS\Start Menu\Programs\StartUp\
\WIN98\Start Menu\Programs\StartUp\
\WINME\Start Menu\Programs\StartUp\
\WIN95\Start Menu\Programs\StartUp\
\WINDOWS.000\Start Menu\Programs\StartUp\

\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\
\WINDOWS\Menu Iniciar\Programas\Iniciar\
\WIN98\Menu Iniciar\Programas\Iniciar\
\WINME\Menu Iniciar\Programas\Iniciar\
\WIN95\Menu Iniciar\Programas\Iniciar\
\WINDOWS.000\Menu Iniciar\Programas\Iniciar\
\Documents and Settings\All Users\Men· Inicio

\Programas\Inicio\
\WINDOWS\Men· Inicio\Programas\Inicio\
\WIN98\Men· Inicio\Programas\Inicio\
\WINME\Men· Inicio\Programas\Inicio\
\WIN95\Men· Inicio\Programas\Inicio\
\WINDOWS.000\MenInicio\Programas\Inicio\

\Documents and Settings\All Users\KSynnistS-valikko\Ohjelmat\KSynnistys\
\WINDOWS\KSynnistS-valikko\Ohjelmat\KSynnistys\
\WIN98\KSynnistS-valikko\Ohjelmat\KSynnistys\
WINME\KSynnistS-valikko\Ohjelmat\KSynnistys\
\WIN95\KSynnistS-valikko\Ohjelmat\KSynnistys\

\Documents and Settings\All Users\Menu DTmarrer\Programmes\DTmarrage\
\WINDOWS\Menu DTmarrer\Programmes\DTmarrage\
\WIN98\Menu DTmarrer\Programmes\DTmarrage\
\WINME\Menu DTmarrer\Programmes\DTmarrage\
\WIN95\Menu DTmarrer\Programmes\DTmarrage\

\Documents and Settings\All Users\Menuen Start\Programmer\Start\
\WINDOWS\Menuen Start\Programmer\Start\
\WIN98\Menuen Start\Programmer\Start\
\WINME\Menuen Start\Programmer\Start\
\WIN95\Menuen Start\Programmer\Start\

\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
\WINDOWS\Menu Start\Programma's\Opstarten\
\WIN98\Menu Start\Programma's\Opstarten\
\WINME\Menu Start\Programma's\Opstarten\
\WIN95\Menu Start\Programma's\Opstarten\

\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI\
\WINDOWS\Start Menu\Programlar\BASLANGI\
\WIN98\Start Menu\Programlar\BASLANGI\
\WINME\Start Menu\Programlar\BASLANGI\
\WIN95\Start Menu\Programlar\BASLANGI\

\Documents and Settings\All Users\Menu Start\Programy\Autostart\
\WINDOWS\Menu Start\Programy\Autostart\
\WIN98\Menu Start\Programy\Autostart\
\WINME\Menu Start\Programy\Autostart\
\WIN95\Menu Start\Programy\Autostart\

\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
\WINDOWS\Start-meny\Programmer\Oppstart\
\WIN98\Start-meny\Programmer\Oppstart\
\WINME\Start-meny\Programmer\Oppstart\
\WIN95\Start-meny\Programmer\Oppstart\

\Documents and Settings\All Users\Start-menyn\Program\Autostart\
\WINDOWS\Start-menyn\Program\Autostart\
\WIN98\Start-menyn\Program\Autostart\
\WINME\Start-menyn\Program\Autostart\
\WIN95\Start-menyn\Program\Autostart\

\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
\WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\
\WIN98\Menu Avvio\Programmi\Esecuzione automatica\
\WINME\Menu Avvio\Programmi\Esecuzione automatica\
\WIN95\Menu Avvio\Programmi\Esecuzione automatica\

\Dokumente und Einstellungen\All Users\Startmenn\Programme\Autostart\
\WINDOWS\Startmenn\Programme\Autostart\
\WIN98\Startmenn\Programme\Autostart\
\WINME\Startmenn\Programme\Autostart\
\WIN95\Startmenn\Programme\Autostart\
\WINDOWS.000\Startmenn\Programme\Autostart\

The worm may also scan the network for backdoors left open by the following families of Trojans and worms:

Sub7
Optix
NetDevil
MyDoom

The worm also has the ability to spread via mIRC.

When instructed by a remote attacker, the backdoor component of the worm has a set of capabilities which may be executed, including:

run a remote shell
download files from the internet and run them
terminate processes
hide processes
list processes
run in the background as a service process
steal system information
lauch a DOS attack
manipulate the registry

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Protorid-AD

Summary

Action

More Information