Backdoor:Win32/Prorat is a trojan that opens random ports that allow remote access from an attacker to the affected computer. This backdoor may download and execute other malware from predefined Web sites and may terminate several security applications or services.
Installation
This backdoor trojan may be installed by other malware. When run, this malware drops files onto the local computer as in the following examples:
<system folder>\wservice.exe
<system folder>\lservice.exe
<system folder>\ffservice.exe
<system folder>\dservice.exe or <system folder>\d_service.exe
The registry is modified to run the Win32/Prorat at each Windows start.
Adds value: "StubPath"
With data: "<system folder>\lservice.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{A75aed00-d7bf-11d1-9947-00c0Cf98bbc9}\
Adds value: "Windows Reg Services"
With data: "<system folder>\ffservice.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Adds value: "Windows Reg Services"
With data: "<system folder>\ffservice.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "Windows Reg Services"
With data: "<system folder>\ffservice.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Allows Remote Access
This trojan may open random TCP ports such as TCP ports 5110, 5112, 51100, 4110, 4112 and so on. The trojan may communicate with a remote server to send connection information such as which ports are open on the affected computer. A remote attacker could connect to the affected machine and send command instructions that could include the following:
- play audible sounds
- change the printer properties
- download and execute arbitrary programs or malware
Terminates Security Applications or Services
In the wild, this trojan has been observed to terminate the following security related processes:
avpcc.exe
avpcc.exe
_avpm.exe
avp32.exe
avp.exe
fsav.exe
PERSFW.EXE
ZONEALARM.EXE
SCAN32.exe
NAVW32.exe
AVGW.EXE
NOD32.EXE
DRWEB32.EXE
Additional Information
The family name "prorat" is a combination of the words 'pro' and 'rat' where 'rat' is a term referring to "remote access trojan".
Analysis by Tim Liu
