Troj/Prorat-D

Category: Viruses and Spyware
Type: Trojan
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Prorat-D is a backdoor Trojan which may allow unauthorised access and control of the computer from a remote network location.

Upon execution, Troj/Prorat-D drops copies of itself into the Windows System or System32 folder using one or more of the filenames FSERVICE.EXE, FFSERVICE.EXE, DSERVICE.EXE, LSERVICE.EXE, SSERVICE.EXE and WSERVICE.EXE.

Troj/Prorat-D adds the following registry entries so that it is run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = C:\<Windows System>\<filename>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = Explorer.exe C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows Reg Services = C:\<Windows System>\<filename>
DirectX for Microsoft Windows = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Active Setup\Installed Components\
[A75aed00-d7bf-11d1-9947-00c0Cf98bbc9]\
StubPath = C:\<Windows System>\<filename>

HKLM\Software\Microsoft\Active Setup\Installed Components\
[5Y99AE78-58TT-11dW-BE53-Y67078979Y]\
StubPath = C:\<Windows System>\<filename>

This Trojan may also attempt to download and install the file http://members.lycos.co.uk/kabloboy/XP_Update v1.5.3.exe.

This will be copied into the Windows folder under WINLOGON.EXE.

This program will drop the file WINKEY.DLL into the Windows System folder and create the following registry entry:

HKCU\Software\Microsoft DirectX\WinSettings\

Troj/Prorat-C is embedded within WINKEY.DLL.

The downloaded file will also change the value in the [boot] and [windows] sections of the files SYSTEM.INI and WIN.INI (respectively), in the Windows folder by including the path to a copy of the original file, e.g.

File : SYSTEM.INI
Section : boot
Parameter : shell
(New) Value : EXPLORER.EXE C:\<Windows System>\<filename>

File : WIN.INI
Section : windows
Parameter : run
(New) Value : C:\<Windows System>\<filename>

Troj/Prorat-D may also employ counter-removal tricks so that it becomes difficult to terminate the Trojan process.

Furthermore the Trojan may monitor the registry entries above such that the entries are restored immediately if changed.