Hi,
I have a bit of a long shot of a question, but I am looking for something that "may" be a virus. Apparently it attacks a personal computer if they try to attempt to gain access to somebody's chat records/online chat? The name I have is "prorata" but that could be a mis-hearing, lack of communication, I've tried googling things that sound like that, but I have nothing.
Personally I've never heard of such a piece of software (but I am aware of IM viruses, whether it falls under that category I dunno!)
Any ideas however bizarre and wild throw them out there as this is a bit of a fishing trip of an investigation that may lead nowhere…
Thanks.
Update That should be "prorate"
Sorry to reply to my own thread, but I just found something that could be what I want.
Its called ProRAT, anybody familiar with it? Its new to me, but after watching a YouTube video and viewing the wiki and website of it I see what it does and how it could be used in a similar way to infecting somebody with a virus that is trying to access their chat records (but I think it would be a case of manually seeing if somebody is accessing your chat records?) but it looks like it defo could be used to access somebody's computer and infect it with a virus if they suspect them on doing something. Plus the name is as close as you can get what what I was given? (prorate = ProRAT??) coincidence )
Anybody familiar with this?
I don't know if this is linked but Symantec posted information about the Trojan Backdoor.Prorat in 2007
Discovered June 13, 2003
Updated February 13, 2007 121957 PM
Also Known As Backdoor.Prorat.10b3 [Kaspersk
Type Trojan Horse
Systems Affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When Backdoor.Prorat is executed, it performs the following actions
Copies itself to the %System% or %Windir% folder. The following file names have been seen, however, it is possible that different variants use different file names
%System%\Main.exe
%System%\Loader.exe
%System%\Msmsg.exe
%System%\Winserv.dll
%System%\Fservice.exe
%System%\Sservice.exe
%Windir%\Winlogon.exe
Notes
%Windir% is a variable. The Backdoor.Prorat locates the Windows installation folder (by default, this is C\Windows or C\Winnt) and copies itself to that location.
%System% is a variable. The Backdoor.Prorat locates the System folder and copies itself to that location. By default, this is C\Windows\System (Windows 95/98/Me), C\Winnt\System32 (Windows NT/2000), or C\Windows\System32 (Windows XP).
Creates .dll files in the %System% folder. The following file names have been seen, however, it is possible that different variants use different file names
%System%\wininv.dll
%System%\winkey.dll
Adds a value at one or more of the following locations in the Windows registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The following values have been seen added
"MSNMESENGER"="%System%\Main.exe"
"DirectX for Microsoft Windows"="%System%\Fservice.exe"
"DirectX for Microsoft Windows"="%System%\Sservice.exe"
"StubPath"="C\Windows\system\Sservice.exe"
Modifies the value data of
Shell
in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
from
"explorer.exe"
to
"explorer.exe %System%\Fservice.exe"
so that the backdoor runs when you start Windows NT/2000/XP.
Opens a listening port. All the variants seen so far open a port in the range of 50000 - 60000.
Sends the version number of the Trojan, as well as the IP address and port number of the target computer, to a specific ICQ user through the ICQ Web pager.
May inject a .dll file into the Winlogon process as a thread, which will end the processes of various security products.