BKDR_PRORAT.BL

This backdoor may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This backdoor may be dropped by the following malware:

• WORM_AUTORUN.RJG

Installation

This backdoor drops the following files:

• %System%\reginv.dll - already detected as BKDR_PRORAT.BL
• %System%\winkey.dll - already detected as BKDR_PRORAT.BL

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops and executes the following files:

• %Windows%\services.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

• %System%\sservice.exe
• %System%\fservice.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
csrss.exe = "%Windows%\ctfmon.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT Script Host

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT Script Host\Microsoft DxDiag

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT Script Host\Microsoft DxDiag\WinSettings

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\DisallowRun

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random}
StubPath = "%System%\sservice.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
DirectX For Microsoft Windows = "%System%\fservice.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
DependOnGroup = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Group = {null}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
DisallowRun = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\DisallowRun
1 = "ntbackup.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\DisallowRun
2 = "Regedit.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\DisallowRun
3 = "rstrui.exe"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = 1

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 2

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\HideFileExt
Type = "By Rover"

(Note: The default value data of the said registry entry is checkbox.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SuperHidden
Type = "By Rover"

(Note: The default value data of the said registry entry is checkbox.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe %System%\fservice.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\sr
Start = 4

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\sr
ImagePath = "\SystemRoot\system32\DRIVERS\sr.sys"

(Note: The default value data of the said registry entry is system32\DRIVERS\sr.sys.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\sr\Parameters
FirstRun = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Start = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = 4

(Note: The default value data of the said registry entry is 2.)

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Format Drives (C:\ and D:\)
• Start or stop service
• List directory
• Shutdown system
• Open or close CD Drive
• Perform remote shell
• Terminates process
• Download and execute arbitrary files

It connects to the following websites to send and receive information:

• {BLOCKED}.23.237:80/friendship/email_thank_you.php?folder_id={random digit}¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact={random digit}&friend_nickname2=&friend_contact2=&x={random digit}&y={random digit}

Process Termination

This backdoor terminates the following processes if found running in the affected system's memory:

• WATCHDOG.EXE
• WEBSCANX.EXE
• WEBTRAP.EXE
• WGFE95.EXE
• WHOSWATCHINGME.EXE
• WIMMUN32.EXE
• WINRECON.EXE
• WNT.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• WSBGATE.EXE
• WYVERNWORKSFIREWALL.EXE
• WrAdmin.EXE
• WrCtrl.EXE
• XPF202EN.EXE
• ZAPRO.EXE
• ZAPSETUP3001.EXE
• ZATUTOR.EXE
• ZAUINST.EXE
• ZONALM2601.EXE
• ZONEALARM.EXE
• _AVPCC.EXE
• _AVPM.EXE
• agentw.EXE
• apvxdwin.EXE
• avkpop.EXE
• avkservice.EXE
• avkwctl9.EXE
• avpm.EXE
• blackd.EXE
• ccApp.EXE
• ccEvtMgr.EXE
• ccPxySvc.EXE
• cleaner.EXE
• cleaner3.EXE
• cpd.EXE
• defalert.EXE
• defscangui.EXE
• f-stopw.EXE
• fameh32.EXE
• fch32.EXE
• fih32.EXE
• fnrb32.EXE
• fsaa.EXE
• fsav32.EXE
• fsgk32.EXE
• fsm32.EXE
• fsma32.EXE
• fsmb32.EXE
• gbmenu.EXE
• gbpoll.EXE
• iamapp.EXE
• iamserv.EXE
• lockdown2000.EXE
• navapsvc.EXE
• nod32.exe
• ACKWIN32.EXE
• ADVXDWIN.EXE
• AGENTSVR.EXE
• ALERTSVC.EXE
• ALOGSERV.EXE
• AMON9X.EXE
• ANTI-TROJAN.EXE
• ANTIVIRUS.EXE
• ANTS.EXE
• APIMONITOR.EXE
• APLICA32.EXE
• APVXDWIN.EXE
• ATCON.EXE
• ATGUARD.EXE
• ATRO55EN.EXE
• ATUPDATER.EXE
• ATWATCH.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOUPDATE.EXE
• AVCONSOL.EXE
• AVGCC32.EXE
• AVGCTRL.EXE
• AVGNT.EXE
• AVGSERV.EXE
• AVGSERV9.EXE
• AVGUARD.EXE
• AVGW.EXE
• AVP.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPM.EXE
• AVSYNMGR.EXE
• AVWINNT.EXE
• AVWUPSRV.EXE
• AVXMONITOR9X.EXE
• AVXMONITORNT.EXE
• AVXQUAR.EXE
• AVXW.EXE
• AckWin32.EXE
• AutoTrace.EXE
• AvgServ.EXE
• Avgctrl.EXE
• AvkServ.EXE
• Avsched32.EXE
• BD_PROFESSIONAL.EXE
• BIDEF.EXE
• BIDSERVER.EXE
• BIPCP.EXE
• BIPCPEVALSETUP.EXE
• BISP.EXE
• BLACKD.EXE
• BLACKICE.EXE
• BOOTWARN.EXE
• BORG2.EXE
• BS120.EXE
• BlackICE.EXE
• CDP.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFINET.EXE
• CFINET32.EXE
• CLAW95CF.EXE
• CLEAN.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CLEANPC.EXE
• CMGRDIAN.EXE
• CMON016.EXE
• CONNECTIONMONITOR.EXE
• CPD.EXE
• CPF9X206.EXE
• CPFNT206.EXE
• CTRL.EXE
• CV.EXE
• CWNB181.EXE
• CWNTDWMO.EXE
• Claw95.EXE
• Claw95cf.EXE
• DEFWATCH.EXE
• DEPUTY.EXE
• DOORS.EXE
• DPF.EXE
• DPFSETUP.EXE
• DRWATSON.EXE
• DRWEB32.EXE
• DVP95.EXE
• DVP95_0.EXE
• EFPEADM.EXE
• ENT.EXE
• ESCANH95.EXE
• ESCANHNT.EXE
• ESCANV95.EXE
• ETRUSTCIPE.EXE
• EVPN.EXE
• EXANTIVIRUS-CNET.EXE
• EXPERT.EXE
• F-AGNT95.EXE
• F-PROT.EXE
• F-PROT95.EXE
• F-STOPW.EXE
• FAST.EXE
• FIREWALL.EXE
• FLOWPROTECTOR.EXE
• FP-WIN.EXE
• FP-WIN_TRIAL.EXE
• FRW.EXE
• FSAV.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• GBMENU.EXE
• GBPOLL.EXE
• GENERICS.EXE
• GUARD.EXE
• GUARDDOG.EXE
• HACKTRACERSETUP.EXE
• HTLOG.EXE
• HWPE.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• IAMSTATS.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFACE.EXE
• IFW2000.EXE
• IOMON98.EXE
• IPARMOR.EXE
• IRIS.EXE
• ISRV95.EXE
• JAMMER.EXE
• JEDI.EXE
• KAVLITE40ENG.EXE
• KAVPERS40ENG.EXE
• KAVPF.EXE
• KERIO-PF-213-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KILLPROCESSSETUP161.EXE
• LDNETMON.EXE
• LDPRO.EXE
• LDPROMENU.EXE
• LDSCAN.EXE
• LOCALNET.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LSETUP.EXE
• LUALL.EXE
• LUAU.EXE
• LUCOMSERVER.EXE
• LUINIT.EXE
• LUSPT.EXE
• MCAGENT.EXE
• MCMNHDLR.EXE
• MCTOOL.EXE
• MCUPDATE.EXE
• MCVSRTE.EXE
• MCVSSHLD.EXE
• MFW2EN.EXE
• MFWENG3.02D30.EXE
• MGAVRTCL.EXE
• MGAVRTE.EXE
• MGHTML.EXE
• MGUI.EXE
• MINILOG.EXE
• MONITOR.EXE
• MOOLIVE.EXE
• MPFAGENT.EXE
• MPFSERVICE.EXE
• MPFTRAY.EXE
• MRFLUX.EXE
• MSCONFIG.EXE
• MSINFO32.EXE
• MSSMMC32.EXE
• MU0311AD.EXE
• MWATCH.EXE
• Mcshield.EXE
• Monitor.EXE
• NAV80TRY.EXE
• NAVAPSVC.EXE
• NAVAPW32.EXE
• NAVDX.EXE
• NAVLU32.EXE
• NAVSTUB.EXE
• NAVW32.EXE
• NAVWNT.EXE
• NC2000.EXE
• NCINST4.EXE
• NDD32.EXE
• NEOMONITOR.EXE
• NETARMOR.EXE
• NETINFO.EXE
• NETMON.EXE
• NETSCANPRO.EXE
• NETSPYHUNTER-1.2.EXE
• NETSTAT.EXE
• NETUTILS.EXE
• NISSERV.EXE
• NISUM.EXE
• NMAIN.EXE
• NORMIST.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NPFMESSENGER.EXE
• NPROTECT.EXE
• NPSSVC.EXE
• NSCHED32.EXE
• NTVDM.EXE
• NTXconfig.EXE
• NVARCH16.EXE
• NVC95.EXE
• NWINST4.EXE
• NWService.EXE
• NWTOOL16.EXE
• Navw32.EXE
• NeoWatchLog.EXE
• Nui.EXE
• Nupgrade.EXE
• OSTRONET.EXE
• OUTPOST.EXE
• OUTPOSTINSTALL.EXE
• OUTPOSTPROINSTALL.EXE
• PADMIN.EXE
• PANIXK.EXE
• PAVPROXY.EXE
• PCC2002S902.EXE
• PCC2K_76_1436.EXE
• PCCIOMON.EXE
• PCCWIN98.EXE
• PCDSETUP.EXE
• PCFWALLICON.EXE
• PCIP10117_0.EXE
• PDSETUP.EXE
• PERISCOPE.EXE
• PERSFW.EXE
• PERSWF.EXE
• PF2.EXE
• PFWADMIN.EXE
• PINGSCAN.EXE
• PLATIN.EXE
• POP3TRAP.EXE
• POPROXY.EXE
• POPSCAN.EXE
• PORTDETECTIVE.EXE
• PORTMONITOR.EXE
• PPINUPDT.EXE
• PPTBC.EXE
• PPVSTOP.EXE
• PROCESSMONITOR.EXE
• PROCEXPLORERV1.0.EXE
• PROGRAMAUDITOR.EXE
• PROPORT.EXE
• PROTECTX.EXE
• PSPF.EXE
• PURGE.EXE
• PVIEW95.EXE
• Process
• QCONSOLE.EXE
• QSERVER.EXE
• RAV7.EXE
• RAV7WIN.EXE
• RAV8WIN32ENG.EXE
• REALMON.EXE
• REGEDIT.EXE
• REGEDT32.EXE
• RESCUE.EXE
• RESCUE32.EXE
• RRGUARD.EXE
• RSHELL.EXE
• RTVSCN95.EXE
• RULAUNCH.EXE
• SAFEWEB.EXE
• SBSERV.EXE
• SCAN32.EXE
• SCRSCAN.EXE
• SD.EXE
• SETUPVAMEEVAL.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SFC.EXE
• SGSSFW32.EXE
• SH.EXE
• SHELLSPYINSTALL.EXE
• SHN.EXE
• SMC.EXE
• SOFI.EXE
• SPF.EXE
• SPHINX.EXE
• SPYXX.EXE
• SS3EDIT.EXE
• ST2.EXE
• SUPFTRL.EXE
• SUPPORTER5.EXE
• SWEEP95.EXE
• SWEEPSRV.SYS
• SWNETSUP.EXE
• SYMPROXYSVC.EXE
• SYMTRAY.EXE
• SYSEDIT.EXE
• Sphinx.EXE
• SweepNet
• SymProxySvc.EXE
• TASKMON.EXE
• TAUMON.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS-3.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• TFAK.EXE
• TFAK5.EXE
• TGBOB.EXE
• TITANIN.EXE
• TITANINXP.EXE
• TRACERT.EXE
• TRJSCAN.EXE
• TRJSETUP.EXE
• TROJANTRAP3.EXE
• UNDOBOOT.EXE
• UPDATE.EXE
• VBCMSERV.EXE
• VBCONS.EXE
• VBUST.EXE
• VBWIN9X.EXE
• VBWINNTW.EXE
• VCSETUP.EXE
• VET32.EXE
• VET95.EXE
• nod32krn.exe
• nod32kui.exe
• notstart.EXE
• npscheck.EXE
• ntrtscan.EXE
• nvsvc32.EXE
• pavproxy.EXE
• pccntmon.EXE
• pccwin97.EXE
• pcscan.EXE
• rapapp.EXE
• rtvscan.EXE
• sbserv.EXE
• vbcmserv.EXE
• vshwin32.EXE
• vsmon.EXE
• zapro.EXE
• zonealarm.EXE
• VETTRAY.EXE
• VFSETUP.EXE
• VIR-HELP.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VNLAN300.EXE
• VNPC3000.EXE
• VPC32.EXE
• VPC42.EXE
• VPFW30S.EXE
• VPTRAY.EXE
• VSCENU6.02D30.EXE
• VSCHED.EXE
• VSECOMR.EXE
• VSISETUP.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VSWIN9XE.EXE
• VSWINNTSE.EXE
• VSWINPERSE.EXE
• VbCons.EXE
• Vet95.EXE
• VetTray.EXE
• W32DSM89.EXE
• W9X.EXE

It terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• McVSEscn
• _avp
• ackwin32
• anti-trojan
• aplica32
• apvxdwin
• autodown
• avconsol
• ave32
• avgcc32
• avgctrl
• avgw
• avkserv
• avnt
• avp
• avsched32
• avwin95
• avwupd32
• blackd
• blackice
• bootwarn
• ccapp
• ccshtdwn
• cfiadmin
• cfiaudit
• cfind
• cfinet
• claw95
• ecengine
• efinet32
• espwatch
• f-agnt95
• f-prot
• f-prot95
• f-stopw
• findviru
• fp-win
• fprot
• fprot95
• frw
• gibe
• iamapp
• iamserv
• ibmasn
• ibmavsp
• icload95
• icloadnt
• icmon
• icmoon
• icssuppnt
• icsupp
• iface
• iomon98
• jedi
• kpfw32
• lockdown2000
• lookout
• luall
• mcvsftsn
• mcvsrte
• mcvsshld
• moolive
• mpftray
• msconfig
• nai_vs_stat
• navapw32
• navlu32
• navnt
• navsched
• navw
• nisum
• nmain
• normist
• nupdate
• nupgrade
• nvc95
• outpost
• padmin
• pavcl
• pavsched
• pavw
• pcciomon
• pccmain
• pccwin98
• pcfwallicon
• persfw
• pop3trap
• pview
• rav
• regedit
• rescue
• safeweb
• serv95
• sphinx
• sweep
• tca
• tds2
• vcleaner
• vcontrol
• vet32
• vet95
• vet98
• vettray
• vscan
• vsecomr
• vshwin32
• vsstat
• webtrap
• wfindv32
• zapro
• zonealarm

Stolen Information

This backdoor sends the data it gathers to the following email addresses via SMTP:

• {BLOCKED}at@yahoo.com