Category: Viruses and SpywareProtection available since:19 Apr 2005 00:00:00 (GMT)
Type: TrojanLast Updated:12 Dec 2012 16:56:35 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Prorat-L is a backdoor Trojan backdoor Trojan which allows a remote intruder to gain access and control over the computer.

The Trojan also includes functionality to send notification messages to remote locations.

When first run the Trojan copies itself to:


and creates the following files:

%SYSTEM%\reginv.dll - Troj/Prorat-L
%SYSTEM%\winkey.dll - Troj/Prorat-H

In order to run each time Explorer initialises, Troj/Prorat-L will set the following registry entry:

DirectX For Microsoft® Windows

In order to run automatically each time a user logs in, Troj/Prorat-L will modify the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
<Old value> %SYSTEM%\fservice.exe

where the old value may be, for example, Explorer.exe

Troj/Prorat-L will also install itself as an Active Setup component and create the following registry entry:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(5Y99AE78-58TT-11dW-BE53-Y67078979Y)

Troj/Prorat-L will add entries to the following registry branch:

HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag

Troj/Prorat-L will attempt to disable the Windows XP Internet Connection Firewall and System Restore service by modifying the following registry entries:



Troj/Prorat-L may attempt to drop a Trojan detected as Troj/LdPinch-AG.