W32/Protorid-AF

Aliases	Email-Worm.Win32.Mydoom.aw W32.IRCBot.Gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	15 December 2005 09:09:43 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Protorid-AF is a worm and IRC backdoor Trojan for the Windows platform.

W32/Protorid-AF has the functionalities to:

- spread via network shares
- provide a backdoor to allow remote access and control via IRC

When run, W32/Protorid-AF copies itself to <System>\b0ff.exe.

When run, W32/Protorid-AF sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe b0ff.exe

W32/Protorid-AF may copy itself as Synd.exe to shared network drives in the following paths:

\Documents and Settings\All Users\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
\Documents and Settings\All Users\Kuynnistu-valikko\Ohjelmat\Kuynnistys\
\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
\Documents and Settings\All Users\Menu Dumarrer\Programmes\Dumarrage\
\Documents and Settings\All Users\Menu Dmarrer\Programmes\Dmarrage\
\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\
\Documents and Settings\All Users\Menu Inicio\Programas\Inicio\
\Documents and Settings\All Users\Menu Start\Programmas\Opstarten\
\Documents and Settings\All Users\Menu Start\Programy\Autostart\
\Documents and Settings\All Users\Menuen Start\Programmer\Start\
\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI\
\Documents and Settings\All Users\Start Menu\Programs\StartUp\
\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
\Documents and Settings\All Users\Start-menyn\Program\Autostart\
\Dokumente und Einstellungen\All Users\Startmenu\Programme\Autostart\
\WIN95\Kuynnistu-valikko\Ohjelmat\Kuynnistys\
\WIN95\Menu Avvio\Programmi\Esecuzione automatica\
\WIN95\Menu Dumarrer\Programmes\Dumarrage\
\WIN95\Menu Iniciar\Programas\Iniciar\
\WIN95\Menu Inicio\Programas\Inicio\
\WIN95\Menu Start\Programmas\Opstarten\
\WIN95\Menu Start\Programy\Autostart\
\WIN95\Menuen Start\Programmer\Start\
\WIN95\Start Menu\Programlar\BASLANGI\
\WIN95\Start Menu\Programs\StartUp\
\WIN95\Start-meny\Programmer\Oppstart\
\WIN95\Start-menyn\Program\Autostart\
\WIN95\Startmenu\Programme\Autostart\
\WIN98\Kuynnistu-valikko\Ohjelmat\Kuynnistys\
\WIN98\Menu Avvio\Programmi\Esecuzione automatica\
\WIN98\Menu Dumarrer\Programmes\Dumarrage\
\WIN98\Menu Iniciar\Programas\Iniciar\
\WIN98\Menu Inicio\Programas\Inicio\
\WIN98\Menu Start\Programmas\Opstarten\
\WIN98\Menu Start\Programy\Autostart\
\WIN98\Menuen Start\Programmer\Start\
\WIN98\Start Menu\Programlar\BASLANGI\
\WIN98\Start Menu\Programs\StartUp\
\WIN98\Start-meny\Programmer\Oppstart\
\WIN98\Start-menyn\Program\Autostart\
\WIN98\Startmenu\Programme\Autostart\
\WINDOWS.000\Menu Iniciar\Programas\Iniciar\
\WINDOWS.000\Menu Inicio\Programas\Inicio\
\WINDOWS.000\Start Menu\Programs\StartUp\
\WINDOWS.000\Startmenu\Programme\Autostart\
\WINDOWS\Kuynnistu-valikko\Ohjelmat\Kuynnistys\
\WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\
\WINDOWS\Menu Dumarrer\Programmes\Dumarrage\
\WINDOWS\Menu Iniciar\Programas\Iniciar\
\WINDOWS\Menu Inicio\Programas\Inicio\
\WINDOWS\Menu Start\Programmas\Opstarten\
\WINDOWS\Menu Start\Programy\Autostart\
\WINDOWS\Menuen Start\Programmer\Start\
\WINDOWS\Start Menu\Programlar\BASLANGI\
\WINDOWS\Start Menu\Programs\StartUp\
\WINDOWS\Start-meny\Programmer\Oppstart\
\WINDOWS\Start-menyn\Program\Autostart\
\WINDOWS\Startmenu\Programme\Autostart\
\WINME\Kuynnistu-valikko\Ohjelmat\Kuynnistys\
\WINME\Menu Avvio\Programmi\Esecuzione automatica\
\WINME\Menu Dumarrer\Programmes\Dumarrage\
\WINME\Menu Iniciar\Programas\Iniciar\
\WINME\Menu Inicio\Programas\Inicio\
\WINME\Menu Start\Programmas\Opstarten\
\WINME\Menu Start\Programy\Autostart\
\WINME\Menuen Start\Programmer\Start\
\WINME\Start Menu\Programlar\BASLANGI\
\WINME\Start Menu\Programs\StartUp\
\WINME\Start-meny\Programmer\Oppstart\
\WINME\Start-menyn\Program\Autostart\
\WINME\Startmenu\Programme\Autostart\

W32/Protorid-AF may exploit backdoors left open by the following families of Trojans and worms:

- Sub7
- MyDoom

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Protorid-AF

Summary

Action

More Information