Content

W32/Protoride.worm

Type
Virus
SubType
Internet Worm
Discovery Date
09/13/2004
Length
75264 bytes (PeX packed)
Minimum DAT
4391 (09/15/2004)
Updated DAT
4391 (09/15/2004)
Minimum Engine
5.1.00
Description Added
09/13/2004
Description Modified
09/17/2004 6:09 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a description for a new variant of the W32/Protoride worm, disconvered on the 13. Sept. It has the following characteristics:

  • copies itself to remote startup folders using open shares.
  • includes a IRC bot which is capable to:
    • upload/download/execute files
    • read systeminformations
    • do portscans
    • terminate running processes
    • do TCP/UDP/ICMP flood (DoS)

After execution, it creates a key in the registry, so it get activated each time the system starts:

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
    "Windows Taskbar Manager"  = [path]iexplorer.exe


The worm tries to connect to TCP139 on IP addresses within the local network, but can also choose public IP addresses. When the scaned host replies, the worm tries to connect to the victim using the user/password credentials of the log on user on the infected machine.

When access to victims machine is granted, it tries to copy itself as IEXPLORER.EXE to these folders:

  • \Documents and Settings\All Users\Start Menu\Programs\StartUp\ 
  • \WINDOWS\Start Menu\Programs\StartUp\  
  • \WIN98\Start Menu\Programs\StartUp\
  • \WINME\Start Menu\Programs\StartUp\
  • \WIN95\Start Menu\Programs\StartUp\
  • \WINDOWS.000\Start Menu\Programs\StartUp\  
  • \Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\  
  • \WINDOWS\Menu Iniciar\Programas\Iniciar\   
  • \WIN98\Menu Iniciar\Programas\Iniciar\ 
  • \WINME\Menu Iniciar\Programas\Iniciar\ 
  • \WIN95\Menu Iniciar\Programas\Iniciar\ 
  • \WINDOWS.000\Menu Iniciar\Programas\Iniciar\   
  • \Documents and Settings\All Users\Men· Inicio\Programas\Inicio\
  • \WINDOWS\Men· Inicio\Programas\Inicio\
  • \WIN98\Men· Inicio\Programas\Inicio\   
  • \WINME\Men· Inicio\Programas\Inicio\   
  • \WIN95\Men· Inicio\Programas\Inicio\   
  • \WINDOWS.000\Men· Inicio\Programas\Inicio\ 
  • \Documents and Settings\All Users\KSynnistS-valikko\Ohjelmat\KSynnistys\   
  • \WINDOWS\KSynnistS-valikko\Ohjelmat\KSynnistys\
  • \WIN98\KSynnistS-valikko\Ohjelmat\KSynnistys\  
  • \WINME\KSynnistS-valikko\Ohjelmat\KSynnistys\  
  • \WIN95\KSynnistS-valikko\Ohjelmat\KSynnistys\  
  • \Documents and Settings\All Users\Menu DTmarrer\Programmes\DTmarrage\  
  • \WINDOWS\Menu DTmarrer\Programmes\DTmarrage\   
  • \WIN98\Menu DTmarrer\Programmes\DTmarrage\ 
  • \WINME\Menu DTmarrer\Programmes\DTmarrage\ 
  • \WIN95\Menu DTmarrer\Programmes\DTmarrage\ 
  • \Documents and Settings\All Users\Menuen Start\Programmer\Start\   
  • \WINDOWS\Menuen Start\Programmer\Start\
  • \WIN98\Menuen Start\Programmer\Start\  
  • \WINME\Menuen Start\Programmer\Start\  
  • \WIN95\Menuen Start\Programmer\Start\  
  • \Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
  • \WINDOWS\Menu Start\Programma's\Opstarten\ 
  • \WIN98\Menu Start\Programma's\Opstarten\   
  • \WINME\Menu Start\Programma's\Opstarten\
  • \WIN95\Menu Start\Programma's\Opstarten\   
  • \Documents and Settings\All Users\Start Menu\Programlar\BASLANGI¦\ 
  • \WINDOWS\Start Menu\Programlar\BASLANGI¦\  
  • \WIN98\Start Menu\Programlar\BASLANGI¦\
  • \WINME\Start Menu\Programlar\BASLANGI¦\
  • \WIN95\Start Menu\Programlar\BASLANGI¦\
  • \Documents and Settings\All Users\Menu Start\Programy\Autostart\   
  • \WINDOWS\Menu Start\Programy\Autostart\
  • \WIN98\Menu Start\Programy\Autostart\  
  • \WINME\Menu Start\Programy\Autostart\  
  • \WIN95\Menu Start\Programy\Autostart\  
  • \Documents and Settings\All Users\Start-meny\Programmer\Oppstart\  
  • \WINDOWS\Start-meny\Programmer\Oppstart\   
  • \WIN98\Start-meny\Programmer\Oppstart\ 
  • \WINME\Start-meny\Programmer\Oppstart\
  • \WIN95\Start-meny\Programmer\Oppstart\ 
  • \Documents and Settings\All Users\Start-menyn\Program\Autostart\   
  • \WINDOWS\Start-menyn\Program\Autostart\
  • \WIN98\Start-menyn\Program\Autostart\  
  • \WINME\Start-menyn\Program\Autostart\  
  • \WIN95\Start-menyn\Program\Autostart\  
  • \Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\  
  • \WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\   
  • \WIN98\Menu Avvio\Programmi\Esecuzione automatica\ 
  • \WINME\Menu Avvio\Programmi\Esecuzione automatica\ 
  • \WIN95\Menu Avvio\Programmi\Esecuzione automatica\ 
  • \Dokumente und Einstellungen\All Users\Startmenn\Programme\Autostart\  
  • \WINDOWS\Startmenn\Programme\Autostart\
  • \WIN98\Startmenn\Programme\Autostart\
  • \WINME\Startmenn\Programme\Autostart\  
  • \WIN95\Startmenn\Programme\Autostart\  
  • \WINDOWS.000\Startmenn\Programme\Autostart\

The bot component of the worm tries to connect to port TCP6667 at:

  • upd.extr3me.com.ar
  • upd.damaged.com.ar

Symptoms

  • Unexpected outgoing network traffic to port TCP139
  • Unexpected outgoing network traffic to port TCP6667
  • Presents of registry keys and IEXPLORER.EXE in the startup folder.

Method of Infection

The worm copies itself to open shares into the startup folder, it does not spread by email and the infection process does requiere any userinteraction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a description for a new variant of the W32/Protoride worm, disconvered on the 13. Sept. It has the following characteristics:

  • copies itself to remote startup folders using open shares.
  • includes a IRC bot which is capable to:
    • upload/download/execute files
    • read systeminformations
    • do portscans
    • terminate running processes
    • do TCP/UDP/ICMP flood (DoS)

After execution, it creates a key in the registry, so it get activated each time the system starts:

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
    "Windows Taskbar Manager"  = [path]iexplorer.exe


The worm tries to connect to TCP139 on IP addresses within the local network, but can also choose public IP addresses. When the scaned host replies, the worm tries to connect to the victim using the user/password credentials of the log on user on the infected machine.

When access to victims machine is granted, it tries to copy itself as IEXPLORER.EXE to these folders:

  • \Documents and Settings\All Users\Start Menu\Programs\StartUp\ 
  • \WINDOWS\Start Menu\Programs\StartUp\  
  • \WIN98\Start Menu\Programs\StartUp\
  • \WINME\Start Menu\Programs\StartUp\
  • \WIN95\Start Menu\Programs\StartUp\
  • \WINDOWS.000\Start Menu\Programs\StartUp\  
  • \Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\  
  • \WINDOWS\Menu Iniciar\Programas\Iniciar\   
  • \WIN98\Menu Iniciar\Programas\Iniciar\ 
  • \WINME\Menu Iniciar\Programas\Iniciar\ 
  • \WIN95\Menu Iniciar\Programas\Iniciar\ 
  • \WINDOWS.000\Menu Iniciar\Programas\Iniciar\   
  • \Documents and Settings\All Users\Men· Inicio\Programas\Inicio\
  • \WINDOWS\Men· Inicio\Programas\Inicio\
  • \WIN98\Men· Inicio\Programas\Inicio\   
  • \WINME\Men· Inicio\Programas\Inicio\   
  • \WIN95\Men· Inicio\Programas\Inicio\   
  • \WINDOWS.000\Men· Inicio\Programas\Inicio\ 
  • \Documents and Settings\All Users\KSynnistS-valikko\Ohjelmat\KSynnistys\   
  • \WINDOWS\KSynnistS-valikko\Ohjelmat\KSynnistys\
  • \WIN98\KSynnistS-valikko\Ohjelmat\KSynnistys\  
  • \WINME\KSynnistS-valikko\Ohjelmat\KSynnistys\  
  • \WIN95\KSynnistS-valikko\Ohjelmat\KSynnistys\  
  • \Documents and Settings\All Users\Menu DTmarrer\Programmes\DTmarrage\  
  • \WINDOWS\Menu DTmarrer\Programmes\DTmarrage\   
  • \WIN98\Menu DTmarrer\Programmes\DTmarrage\ 
  • \WINME\Menu DTmarrer\Programmes\DTmarrage\ 
  • \WIN95\Menu DTmarrer\Programmes\DTmarrage\ 
  • \Documents and Settings\All Users\Menuen Start\Programmer\Start\   
  • \WINDOWS\Menuen Start\Programmer\Start\
  • \WIN98\Menuen Start\Programmer\Start\  
  • \WINME\Menuen Start\Programmer\Start\  
  • \WIN95\Menuen Start\Programmer\Start\  
  • \Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
  • \WINDOWS\Menu Start\Programma's\Opstarten\ 
  • \WIN98\Menu Start\Programma's\Opstarten\   
  • \WINME\Menu Start\Programma's\Opstarten\
  • \WIN95\Menu Start\Programma's\Opstarten\   
  • \Documents and Settings\All Users\Start Menu\Programlar\BASLANGI¦\ 
  • \WINDOWS\Start Menu\Programlar\BASLANGI¦\  
  • \WIN98\Start Menu\Programlar\BASLANGI¦\
  • \WINME\Start Menu\Programlar\BASLANGI¦\
  • \WIN95\Start Menu\Programlar\BASLANGI¦\
  • \Documents and Settings\All Users\Menu Start\Programy\Autostart\   
  • \WINDOWS\Menu Start\Programy\Autostart\
  • \WIN98\Menu Start\Programy\Autostart\  
  • \WINME\Menu Start\Programy\Autostart\  
  • \WIN95\Menu Start\Programy\Autostart\  
  • \Documents and Settings\All Users\Start-meny\Programmer\Oppstart\  
  • \WINDOWS\Start-meny\Programmer\Oppstart\   
  • \WIN98\Start-meny\Programmer\Oppstart\ 
  • \WINME\Start-meny\Programmer\Oppstart\
  • \WIN95\Start-meny\Programmer\Oppstart\ 
  • \Documents and Settings\All Users\Start-menyn\Program\Autostart\   
  • \WINDOWS\Start-menyn\Program\Autostart\
  • \WIN98\Start-menyn\Program\Autostart\  
  • \WINME\Start-menyn\Program\Autostart\  
  • \WIN95\Start-menyn\Program\Autostart\  
  • \Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\  
  • \WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\   
  • \WIN98\Menu Avvio\Programmi\Esecuzione automatica\ 
  • \WINME\Menu Avvio\Programmi\Esecuzione automatica\ 
  • \WIN95\Menu Avvio\Programmi\Esecuzione automatica\ 
  • \Dokumente und Einstellungen\All Users\Startmenn\Programme\Autostart\  
  • \WINDOWS\Startmenn\Programme\Autostart\
  • \WIN98\Startmenn\Programme\Autostart\
  • \WINME\Startmenn\Programme\Autostart\  
  • \WIN95\Startmenn\Programme\Autostart\  
  • \WINDOWS.000\Startmenn\Programme\Autostart\

The bot component of the worm tries to connect to port TCP6667 at:

  • upd.extr3me.com.ar
  • upd.damaged.com.ar

Symptoms

Symptoms -

  • Unexpected outgoing network traffic to port TCP139
  • Unexpected outgoing network traffic to port TCP6667
  • Presents of registry keys and IEXPLORER.EXE in the startup folder.

Method of Infection

Method of Infection -

The worm copies itself to open shares into the startup folder, it does not spread by email and the infection process does requiere any userinteraction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A