This application requires Javascript for optimal performance.

W32/Protux.GK!tr - Released Oct 07, 2009 - Last Updated Oct 08, 2009

Alias/es

Backdoor.Win32.Protux.gk (KAV)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following file exists:

    • %System%\workstation.dll

  • Possible firewall alert that an executable is attempting to connect to the internet.

Detailed Analysis


This trojan has the ability to open a backdoor by which a remote hacker can get full control over the user's computer. It allows the hacker to connect to the user's PC and perform malicious activities. The infected user's information and data are then compromised.


Technical Details


  • The following file is created:

    • %System%\workstation.dll

  • The following registry entry is created:

    • HKEY_LOCAL_MACHINE\SYSTEM\NOD32Leading

  • The following registry entry is modified:

    • HKEY_LOCAL_MACHINE\SYSTEM\NOD32Leading\lanmanworkstation\parameters\
        servicedll = %System%\workstation.dll

  • The following is the IP address that it connects to, as well as the port that is uses:

    • 114.244.40.77:8047


Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1064599