Win32/Protoride [Threat Name] go to Threat

Win32/Protoride.NBH [Threat Variant Name]

Category worm
Short description

Win32/Protoride.NBH is a worm that spreads via P2P networks and shared folders.

Installation

The following Registry entry is set:

  • [HKLM\­SOFTWARE\­Classes\­exefile\­shell\­open\­command\­Default]

The entry contains path to the executable of the worm .


This causes the to be executed along with any program.


Spreading via shared folders

The worm searches for computers in the local network.


It tries to copy itself in the following folders on a remote machine:

  • Documents and Settings\­All Users\­Start Menu\­Programs\­StartUp
  • WINDOWS\­Start Menu\­Programs\­StartUp
  • WIN98\­Start Menu\­Programs\­StartUp
  • WINME\­Start Menu\­Programs\­StartUp
  • WIN95\­Start Menu\­Programs\­StartUp
  • WINDOWS.000\­Start Menu\­ProtUp
  • Documents and Settings\­All Users\­Menu Iniciar\­Programas\­Iniciar
  • WINDOWS\­Menu Iniciar\­Programas\­Iniciar
  • WIN98\­Menu Iniciar\­Programas\­Iniciar
  • WINME\­Menu Iniciar\­Programas\­Iniciar
  • WIN95\­Menu Iniciar\­Programas
  • WINDOWS.000\­Menu Iniciar\­Programas\­Iniciar
  • Documents and Settings\­All Users\­Menú Inicio\­Programas\­Inicio
  • WINDOWS\­Menú Inicio\­Programas\­Inicio
  • WIN98\­Menú Inicio\­Programas\­Inicio
  • WINME\­Menú Inicio\­Programas\­Inicio
  • WIN95\­Menú Inicio\­Programas\­Inicio
  • WINDOWS.000\­Menú Inicio\­Programas\­Inicio
  • Documents and Settings\­All Users\­Käynnistä-valikko\­Ohjelmat\­Käynnistys
  • WINDOWS\­Käynnistä-valikko\­Ohjelmat\­Käynnistys
  • WIN98\­Käynnistä-valikko\­Ohjelmat\­Käynnistys
  • WINME\­Käynnistä-valikko\­Ohjelmat\­Käynnistys
  • WIN95\­Käynnistä-valikko\­Ohjelmat\­Käynnistys
  • Documents and Settings\­All Users\­Menu Démarrer\­Programmes\­Démarrage
  • WINDOWS\­Menu Démarrer\­Programmes\­Démarrage
  • WIN98\­Menu Démarrer\­Programmes\­Démarrage
  • WINME\­Menu Démarrer\­Programmes\­Démarrage
  • WIN95\­Menu Démarrer\­Programmes\­Démarrage
  • Documents and Settings\­All Users\­Menuen Start\­Programmer\­Start
  • WINDOWS\­Menuen Start\­Programmer\­Start
  • WIN98\­Menuen Start\­Programmer\­Start
  • WINME\­Menuen Start\­Programmer\­Start
  • WIN95\­Menuen Start\­Programmer\­Start
  • Documents and Settings\­All Users\­Menu Start\­Programma's\­Opstarten
  • WINDOWS\­Menu Start\­Programma's\­Opstarten
  • WIN98\­Menu Start\­Programma's\­Opstarten
  • WINME\­Menu Start\­Programma's\­Opstarten
  • WIN95\­Menu Start\­Programma's\­Opstarten
  • Documents and Settings\­All Users\­Start Menu\­Programlar\­BASLANGIÇ
  • WINDOWS\­Start Menu\­Programlar\­BASLANGIÇ
  • WIN98\­Start Menu\­Programlar\­BASLANGIÇ
  • WINME\­Start Menu\­Programlar\­BASLANGIÇ
  • WIN95\­Start Menu\­Programlar\­BASLANGIÇ
  • Documents and Settings\­All Users\­Menu Start\­Programy\­Autostart
  • WINDOWS\­Menu Start\­Programy\­Autostart
  • WIN98\­Menu Start\­Programy\­Autostart
  • WINME\­Menu Start\­Programy\­Autostart
  • WIN95\­Menu Start\­Programy\­Autostart
  • Documents and Settings\­All Users\­Start-meny\­Programmer\­Oppstart
  • WINDOWS\­Start-meny\­Programmer\­Oppstart
  • WIN98\­Start-meny\­Programmer\­Oppstart
  • WINME\­Start-meny\­Programmer\­Oppstart
  • WIN95\­Start-meny\­Programmer\­Oppstart
  • Documents and Settings\­All Users\­Start-menyn\­Program\­Autostart
  • WINDOWS\­Start-menyn\­Program\­Autostart
  • WIN98\­Start-menyn\­Program\­Autostart
  • WINME\­Start-menyn\­Program\­Autostart
  • WIN95\­Start-menyn\­Program\­Autostart
  • Documents and Settings\­All Users\­Menu Avvio\­Programmi\­Esecuzione automatica
  • WINDOWS\­Menu Avvio\­Programmi\­Esecuzione automatica
  • WIN98\­Menu Avvio\­Programmi\­Esecuzione automatica
  • WINME\­Menu Avvio\­Programmi\­Esecuzione automatica
  • WIN95\­Menu Avvio\­Programmi\­Esecuzione automatica
  • Dokumente und Einstellungen\­All Users\­Startmenü\­Programme\­Autostart
  • WINDOWS\­Startmenü\­Programme\­Autostart
  • WIN98\­Startmenü\­Programme\­Autostart
  • WINME\­Startmenü\­Programme\­Autostart
  • WIN95\­Startmenü\­Programme\­Autostart
  • WINDOWS.000\­Startmenü\­Programme\­Autostart

The following names are used:

  • msupdate.exe
Spreading via P2P networks

The worm searches for shared folders of the following programs:

  • eMule
  • Shareaza
  • iMesh
  • Ares P2P
  • Kazaa
  • Kazaa Lite
  • eDonkey / Overnet
  • Morpheus
  • WinMX
  • Tesla
  • LimeWire
  • Bearshare
  • Grokster
  • TorrenTopia
  • Azureus

The executables of the worm are copied there using a random filename. The file may contain some of the following texts:

  • v
  • .x
  • .X
  • .xx
  • .XX
  • crack
  • Crack
  • CRACK
  • CRACK!!
  • patch
  • Patch
  • PATCH
  • PATCH!
  • patch + serial
  • patch+serial
  • PATCH + SERIAL
  • patch&serial
  • crack+patch
  • crack & patch
  • CRACK & PATCH
  • CRACK+PATCH!
  • no-cd + patch
  • no-cd & patch
  • PATCH + No-Cd
  • serial&no-cd
  • SERIAL&No-Cd
  • no-cd
  • NO-CD
  • keygen
  • KEYGEN
  • loader
  • Loader
  • LOADER
  • keygen + no-cd
  • KEYGEN + no-cd
  • keygen + patch
  • keygen & patch
  • keygen + loader
  • keygen & loader
  • serial
  • SERIAL
  • Serial
  • update
  • UPDATE
  • Update
  • activation key
  • Activation Key
  • trainer
  • TRAINER
  • Trainer
  • mod2
  • MOD2
  • Mod2
  • sp2
  • sp3
  • bonus
  • BONUS
  • Bonus
  • RetailRETAILretail
Other information

The worm connects to the IRC network.


It can be controlled remotely.


It may perform the following actions:

  • executing programs
  • terminating processes
  • various filesystem operations
  • perform DoS/DDoS attacks
  • sending various information about the infected computer
  • stealing passwords

Please enable Javascript to ensure correct displaying of this content and refresh this page.