McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Prorat - Symantec

• BackDoor.ProRat.19 - DrWeb

• BackDoor.Prorat.2.BM - AVG

• Backdoor.Prorat.Q - BitDefender

• Backdoor.Win32.Prorat.19.k - Kaspersky

• Trojan.Prorat.19-2 - ClamAV

• Win32.ProRat.H - eTrust

Characteristics

Backdoor-AVW is a Remote Access Trojan consisting of a server component, client component and a server editor component.
The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Component:

When the server component is executed, the Trojan drops the following files:

• %Windows%\services.exe
• %Windows%\system\sservice.exe
• %Windows%\system32\fservice.exe
• %Windows%\system32\reginv.dll (Hides the Trojan process from the process list)
• %Windows%\system32\winkey.dll (Logs keystrokes belonging to application windows)
• %Windows%\ktd32.atm (Stores recorded keystrokes)

In an attempt to make the dropped files harder to find, the files have their attributes changed to hidden and system.

The following Registry entries are modified, so the Trojan runs on startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
  Explorer.exe %Windir%\system32\fservice.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} "StubPath"
  %Windir%\system\sservice.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  policies\Explorer\Run "DirectX For Microsoft® Windows"
  %Windir%\system32\fservice.exe

Once running, the server component opens up TCP port 5100, awaiting commands from the attacker using the client component. A notification is sent to the attacker using various methods, and data such as the following is sent:

• IP Address of the victim
• Port number the server is listening on
• Server password
• Victim’s name
• Computer Name
• Date & Time

Client Component:

The client component runs on the attacker’s computer, and connects to the server component on the victim’s machine remotely.

The following are a list of some of the functions that are available to the attacker:

• Process Manager (List, kill running processes)
• File Manager (List, upload, download, delete)
• Registry Manager (Browse Registry, add, edit, delete keys)
• Windows Manager (Browse, close, maximize/minimize, rename)
• Get system information
• Extract passwords from machine
• Key logger
• Read/Modify contents of the clipboard
• Screen capture
• Pranks played on the victim (Hiding desktop icons, start button, taskbar, opening and closing CD-Rom)
• Desktop logoff, reboot or shutdown
• FTP-server, Telnet-Server
• Format drives

Server Editor Component:

The server editor component is used by the attacker to create the server component.

  The editor component can be used to create a server with the following extensions:

• Pif
• Exe
• Bat
• Com
• Scr

The editor component is also used for the following:

• Change the Icon for the server created, to make it look legitimate
• Bind the server with another legitimate executable
• Choose from a range of notification methods (Email, ICQ, CGI etc)This is used to notify the attacker about the victims name and IP address
• Change the port number on which the Trojan listens to, for incoming connections

Symptoms

• Desktop firewall program alerting that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component
• The server component attempts to kill various processes (AV scanners, firewall products etc.)

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Prorat - Symantec

• BackDoor.ProRat.19 - DrWeb

• BackDoor.Prorat.2.BM - AVG

• Backdoor.Prorat.Q - BitDefender

• Backdoor.Win32.Prorat.19.k - Kaspersky

• Trojan.Prorat.19-2 - ClamAV

• Win32.ProRat.H - eTrust

Characteristics

Characteristics -

Backdoor-AVW is a Remote Access Trojan consisting of a server component, client component and a server editor component.
The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Component:

When the server component is executed, the Trojan drops the following files:

• %Windows%\services.exe
• %Windows%\system\sservice.exe
• %Windows%\system32\fservice.exe
• %Windows%\system32\reginv.dll (Hides the Trojan process from the process list)
• %Windows%\system32\winkey.dll (Logs keystrokes belonging to application windows)
• %Windows%\ktd32.atm (Stores recorded keystrokes)

In an attempt to make the dropped files harder to find, the files have their attributes changed to hidden and system.

The following Registry entries are modified, so the Trojan runs on startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
  Explorer.exe %Windir%\system32\fservice.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} "StubPath"
  %Windir%\system\sservice.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  policies\Explorer\Run "DirectX For Microsoft® Windows"
  %Windir%\system32\fservice.exe

Once running, the server component opens up TCP port 5100, awaiting commands from the attacker using the client component. A notification is sent to the attacker using various methods, and data such as the following is sent:

• IP Address of the victim
• Port number the server is listening on
• Server password
• Victim’s name
• Computer Name
• Date & Time

Client Component:

The client component runs on the attacker’s computer, and connects to the server component on the victim’s machine remotely.

The following are a list of some of the functions that are available to the attacker:

• Process Manager (List, kill running processes)
• File Manager (List, upload, download, delete)
• Registry Manager (Browse Registry, add, edit, delete keys)
• Windows Manager (Browse, close, maximize/minimize, rename)
• Get system information
• Extract passwords from machine
• Key logger
• Read/Modify contents of the clipboard
• Screen capture
• Pranks played on the victim (Hiding desktop icons, start button, taskbar, opening and closing CD-Rom)
• Desktop logoff, reboot or shutdown
• FTP-server, Telnet-Server
• Format drives

Server Editor Component:

The server editor component is used by the attacker to create the server component.

  The editor component can be used to create a server with the following extensions:

• Pif
• Exe
• Bat
• Com
• Scr

The editor component is also used for the following:

• Change the Icon for the server created, to make it look legitimate
• Bind the server with another legitimate executable
• Choose from a range of notification methods (Email, ICQ, CGI etc)This is used to notify the attacker about the victims name and IP address
• Change the port number on which the Trojan listens to, for incoming connections

Symptoms

Symptoms -

• Desktop firewall program alerting that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component
• The server component attempts to kill various processes (AV scanners, firewall products etc.)

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A