My little brother used my machine for some days and after i got back I found a weird trojan(Prorat.19) on it.

Interesting is that it is only picked up by 5 of 13 avs:

AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Dropper.Agent.AI
ClamAV Found Trojan.Prorat.19.B-srv
Dr.Web Found BackDoor.ProRat.19
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found Win32/Prorat.19
Norman Virus Control Found nothing
VBA32 Found Trojan.LdPinch.1 (probable variant)



Side Effects:

• Allows others to access the computer
  
• Steals information
  
• Uses its own emailing engine
  
• Downloads code from the internet
  
• Reduces system security
  
• Records keystrokes
  

It copies itself to %systemroot%\msnadmin.exe and %systemroot%\system32\fire-fox.exe logs keystrokes to %systemroot%\ktd32.atm and some other stuff. When its killed the process will be automatically recovered after some secs, in case the fire-fox.exe still exists.

This is what appsniff is telling me:
msnadmin.exe, size=0, sock=0, proto=tcp, remIP=192.168.123.105, remPort=, oper=GetHostByName



Now i wonder if anybody could take a look at this file and find out where the data is emailed to? Im curious and frightened at the same time that some valuable information was sent to some (filtered)

The original name was msnadmin.exe

Thanks in advance!

I take no responsibility for any dangers which this program might cause! Handle with care and knowledge!

This was an old trojan, from its history I suspect it came from somewhere in asia and most U.S. ISP had enough time to block it.

Most home antiviruses won't detect a trojan. A trojan can run like a shadow of an application therefore not normally detected unless you are running a program that sinks shadowing efforts of a trojan, or worm that can turn an ordinary home pc to a zombie.

Typical prognosis of a zombie infected machine are difficulty with ISP logon or general sluggishness of the PC when it was running normally previously.

I can't tell where this one is keystroking with the exception syntax I can speculate somewhere in asia.

Easiest way to get rid of this is simply to dump the affected registries, then dump the files.

Ed

Yes they will.

first of all, it is indeed prorat 1.9
ProRat v1.9 Trojan Horse
Coded by PRO Group - Made in Turkey

1)this ** is packed with some unknown version of aspack,but not 4 sure, he must have hexedited the package to remove packers identifications, so u can't unpack it properly either.

2)it hooks :user32.dll, ntdll.dll "prolly more, i see it has a very friendly relationship with directx, both *.dll and registry"

3)it also starts telnet server.
it sends those files to ICQ uin: Kurban_Ismi<<reginv.dll,winkey.dll,wininv.dll>>, this trojan also has smtp support and can use your internet settings to send mail. It also transfers msn, trillian profiles{didn't search 4 other}, it can also brute-force attack other hosts from your b0x & it has ftp support for file transfer. i couldn't find an e-mail though.

4)it listens on these ports: 3333, 5112, 51100
but if you count hooking, it can listen on any port, coz it can cook the tcp/udp packets{e.g. hxdef rootkit}

5)reg: SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\DirectX For Microsoft Windows

6)btw: you forgot %systemroot%/system/anti_vir.exe

7)it is a trojan with a 3-way process support, msnadmin.exe, fire-fox.exe, & anti_vir.exe support each other.

8)it transfers many files, has support for many progs:e.g. it transfers your sites.dat from flashfxp along with user/pass.

9)it also supports av/fw killing {funny: e.g.: net stop navpsvc, if u change service name it won't stop av? n1 technique, lol.}

10)i found those names: Sifre_Tamam, Kurban_Ismi, Sifre_Hatasi{these are registered as ICQ uin's}

11)comments in trojan unpacked:"Kisses_To_Mcafee Kisses_To_Trojanhunter"

12)i've unpacked the trojan, i would be more than happy to upload the unpacked, but i can't due to member status, so if some1 wants it 2much PM me.

p.s.1)i hope i've helped,(2)never leave ur bro again with admin rights:P,(3)nice catch, very rare 4 plain surfing. (4)it has an option to format your drive, during boot-up, so @ least u can consider urself lucky, in a point of u.

13)edit: not even TDS-3 caught it.... it just caught the unpacked when i run it & 2xdll's..shame, i always thought the best 4 it.

Wow thanks bigtime for your analysis, seems like i oversaw this anti_vir.exe and now this (filtered) trojan spawned again

And jep, my bro will not touch my machine again.

I'd be very likely interested in that files, pm sent

[edit]

hottzo, could you also find out in what intervals information is sent to this ICQ nicks, and are you sure that all the information (sites.dat, keylog, msn info) is sent there? If yes that would mean a major problem for me resulting in many password changes

i can see it has the ability to send all these data, after checking that one of these users is online. The funny part is that it doesn't send same stuff to each person, but different stuff to each one. To be completely sure i have to allow full access with no firewall {although i saw a type of reverse connection inside the trojan} to my sandbox and allow it to establish connection and monitor file activity.. i'm sure your next steps should be the following:

1) Scan the infected pc from another pc in your lan, if u have one, for rootkits, plus programs who may have the ability to modify data sent from api calls{like rootkits, but withing the trojans}. You can easily do that by using rootkitrevealer remotely+dameware and check remotely services, processes,etc.

2)Run TDS-3 and do a full system scan within the infected pc. Also tell it to dump the full table of listening/established/time-wait ports.

3)Change all your passwords, ftp servers/msn account/icq acc/trillian accounts{it also sends trillian address book}/windows login/yahoo messenger.

4)There are not a lot of info about the trojan and what i found on the net was pure b**s from the AV companies. As far as this solution is not a big problem to you, i would suggest backup/format/install a fresh copy of windows, because i don't know if the hooks the trojan sets on directx dll's and other windows dll's are on the fly & temporary and after the restart everything is unhooked, or it hooks the dll's forever & after you remove the trojan you have to manually unhook the dll's.

5) If reformatting your pc is a very big problem i could tell you which files + registry entries + hooked dll's, but i think the effort would be 10x more than formatting your system + fresh install.

forgot to add:

what you saw in your virus reports is not the actual trojan, but what has been detected is another trojan which prorat drops into your machine {e.g. LdPinch}. It's not the actual ProRat. Only NOD32 with heuristics enabled reports it as ProRat, but i think it detected by luck, due to this "LdPinch" being dropped, as only the ProRat trojan is known to do this, so NOD32 thinks it must have been the ProRat who did this. Yet, I i have a strong belief that not even NOD32 has detected your special variant of your trojan directly{if the prorat dropped a special modified version of ldpinch not even nod32 would have detected it}.

hottzo im not so sure, NOD32 gives a lot of false positives and would detect the presence of an AV / FW killer which I believe ProRat is bundled with ...

Edit:

I dont suppose the in built 'remove local server' option in prorat is touching this is it? I know if its an official undetected server then it will not.

i don't know if i have completely understood what u've said, so my answers depend on my understanding of what u've said.

As i've said, the way to stop the AV/FW service, is with cmd "net stop" for known services.

I also think that the trojan "named by AV: LdPinch" is just a standalone trojan made to steal your passwords. What i think, is that the author of Ldpinch is different from prorat, so they didn't have the ability to modify the source, but just "borrowed" it from the author and bundled it with their prorat trojan.. If they indeed stole it, i wouldn't be surprised if they have just made a super-rat from sources of other trojan-authors.

I haven't worked with pro-rat client, so i imagine the button "remove local server" would be something like the optix-pro "remove server" button. I cannot answer you that question, because if LdPinch has been tampered with"hex-edited, perhaps? If no source code was available to ProRat authors", then the LdPinch might not even be recognized by ProRat as part of the trojan "if they have changed filenames/reg paths to LdPinch and not in ProRat & vice versa". But all these are assumptions on the most possible hypothesis. Only by using the specific client/server i can answer you 100%, otherwise only with ProRat and LdPinch modified sources.

I'm very suprised Kaspersky didn't pick this up.

My friend says he found a packer that beat KAV....but it comes up with a CMD window when it's unpacking so that's pretty gay.

my KAV catched it.


Scan results
File: msnadmin.exe
Date: 05/02/2005 17:11:24 (CET)
----
AntiVir 6.30.0.7/20050502 found [TR/Drop.Agent.AI.2]
AVG 718/20050502 found nothing
BitDefender 7.0/20050502 found [Trojan.Dropper.Agent.AI]
ClamAV devel-20050307/20050502 found [Trojan.Prorat.19.B-srv]
DrWeb 4.32b/20050502 found [BackDoor.ProRat.19]
eTrust-Iris 7.1.194.0/20050501 found nothing
eTrust-Vet 11.7.0.0/20050502 found nothing
Fortinet 2.51/20050501 found [W32/Prorat.K-tr]
F-Prot 3.16b/20050502 found nothing
Ikarus 2.32/20050502 found [Trojan-PSW.Win32.LdPinch.FI]
Kaspersky 4.0.2.24/20050502 found [Backdoor.Win32.Prorat.19.s]
McAfee 4481/20050502 found [BackDoor-AVW]
NOD32v2 1.1085/20050501 found [Win32/Prorat.19]
Norman 5.70.10/20050502 found nothing
Panda 8.02.00/20050502 found nothing
Sybari 7.5.1314/20050502 found nothing
Symantec 8.0/20050501 found nothing
VBA32 3.10.3/20050502 found [BackDoor.ProRat.19]

yep, with the new vir defs kav caught it.. it was 2late though, it took them over a week to find it{a week is known since TRi found it}, must be more than a week circulating on the net, so doesn't count. Probably someone submitted it{consciously, or unconciously with online AV scanning}.

Yeah www.virustotal.com submits it automatically unless you tell it not to ...