Troj/Prorat-O

Aliases	Trojan-Downloader.Win32.Small.rc
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Included in our products from	September 2005 (3.97)
Protection available since	19 July 2005 10:29:03 (GMT)
Detected by	All Sophos products

Troj/Prorat-O is a Trojan for the Windows platform.

Troj/Prorat-O creates a file lncom_.jpg and displays the image while installing itself.

The Trojan attempts to download and install files from a remote site. Troj/Prorat-O is a Trojan for the Windows platform.

Troj/Prorat-O creates a file lncom_.jpg and displays the image while installing itself.

When run, Troj/Prorat-O copies itself to the Windows system folder with the following names:

ffservice.exe
lncom.exe
lservice.exe
wservice.exe

In order to run each time a user logs on, Troj/Prorat-O sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Reg Services
"<path to Trojan EXE>"

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(a75aed00-d7bf-11d1-9947-00c0Cf98bbc9)\
<several entries>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Reg Services
"<path to Trojan EXE>"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Windows Reg Services
"<path to Trojan EXE>"

The Trojan attempts to download and install files from a remote site. At the time of writing, the remote site was unavailable.

Get reports about the latest virus and spyware threats delivered to your computer