W32/Protoride-H

Aliases	Agent Sdbot.
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	September 2004 (3.85)
Protection available since	15 July 2004 09:31:40 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Renaming the registry editor

Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
Rename the copy of Regedit.exe to Regedit.com.
At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.

Editing the registry

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"" = \"%1\" %*

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Taskbar Manager = C:\<Windows system>\internat.exe

and delete them if they exist.

Locate the HKEY_CLASSES_ROOT entry:

Typically an unaltered registry entry will be set to

HKCR\exefile\shell\open\command\(default) = "%1" %*

the altered registry entry will be

HKCR\exefile\shell\open\command\(default) = <path to worm> "%1" %*

delete only the path to the worm. Do not delete anything else.

Close the registry editor.

Checking other computers on the network

Copies of the worm may have been dropped on open shares on other computers in your network.

Run a scan on other computers to check them. Do not reboot first.
Review network security.
If worm files have been dropped on Windows 95/98/Me computers, disable sharing of the C: drive. Right-click the C: drive in Windows Explorer, select Sharing, then unshare the C: drive. Shares created on individual folders other than the Windows folder are not a security risk. If you must share the C: drive of a Windows 95/98/Me computer attached to the Internet, consider installing a firewall.

More Information

Summary
Action
More Information

W32/Protoride-H is a Windows worm that spreads via network shares. The worm also has a backdoor component that allows a malicious user remote access to an infected computer via the IRC network. This worm can also copy itself into the shared folders of several peer-to-peer (P2P) file sharing utilities.

This worm will copy itself into the Windows system folder as INTERNAT.EXE and set the following registry entries so that it is executed automatically upon restart:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"" = \"%1\" %*

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Taskbar Manager = C:\<Windows system>\internat.exe

In order to run automatically when Windows starts up the worm may change the following registry entry so that it is executed before any EXE files:

HKCR\exefile\shell\open\command\
"" = C:\<full file path> "%1 %*"

W32/Protoride-H is also capable of scanning the network and will attempt to copy itself to the following folders on unprotected shares:

\WINDOWS\Menu Iniciar\Programas\Iniciar\
\WIN98\Menu Iniciar\Programas\Iniciar\
\WINME\Menu Iniciar\Programas\Iniciar\
\WIN95\Menu Iniciar\Programas\Iniciar\
\WINDOWS.000\Menu Iniciar\Programas\Iniciar\

\WINDOWS\Start Menu\Programs\StartUp\
\WIN98\Start Menu\Programs\StartUp\
\WINME\Start Menu\Programs\StartUp\
\WIN95\Start Menu\Programs\StartUp\
\WINDOWS.000\Start Menu\Programs\StartUp\

\Documents and Settings\All Users\Start Menu\Programs\StartUp\
\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\

\Documents and Settings\All Users\Menuen Start\Programmer\Start\
\WINDOWS\Menuen Start\Programmer\Start\
\WIN98\Menuen Start\Programmer\Start\
\WINME\Menuen Start\Programmer\Start\
\WIN95\Menuen Start\Programmer\Start\
\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
\WINDOWS\Menu Start\Programma's\Opstarten\
\WIN98\Menu Start\Programma's\Opstarten\
\WINME\Menu Start\Programma's\Opstarten\
\WIN95\Menu Start\Programma's\Opstarten\
\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI
\WINDOWS\Start Menu\Programlar\BASLANGI
\WIN98\Start Menu\Programlar\BASLANGI
\WINME\Start Menu\Programlar\BASLANGI
\WIN95\Start Menu\Programlar\BASLANGI
\Documents and Settings\All Users\Menu Start\Programy\Autostart\
\WINDOWS\Menu Start\Programy\Autostart\
\WIN98\Menu Start\Programy\Autostart\
\WINME\Menu Start\Programy\Autostart\
\WIN95\Menu Start\Programy\Autostart\
\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
\WINDOWS\Start-meny\Programmer\Oppstart\
\WIN98\Start-meny\Programmer\Oppstart\
\WINME\Start-meny\Programmer\Oppstart\
\WIN95\Start-meny\Programmer\Oppstart\
\Documents and Settings\All Users\Start-menyn\Program\Autostart\
\WINDOWS\Start-menyn\Program\Autostart\
\WIN98\Start-menyn\Program\Autostart\
\WINME\Start-menyn\Program\Autostart\
\WIN95\Start-menyn\Program\Autostart\
\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
\WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\
\WIN98\Menu Avvio\Programmi\Esecuzione automatica\
\WINME\Menu Avvio\Programmi\Esecuzione automatica\
\WIN95\Menu Avvio\Programmi\Esecuzione automatica

W32/Protoride-H may also set the registry entry:
HKLM\Software\BeyonD inDustries\ProtoType[v3]

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Protoride-H

Summary

Action

More Information