W32/Protux.GK!tr

Alias/esBackdoor.Win32.Protux.gk (KAV)
Release DateOct 07, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.578
Description

Visible Symptoms

  • The following file exists:

    • %System%\workstation.dll

  • Possible firewall alert that an executable is attempting to connect to the internet.

Detailed Analysis


This trojan has the ability to open a backdoor by which a remote hacker can get full control over the user's computer. It allows the hacker to connect to the user's PC and perform malicious activities. The infected user's information and data are then compromised.


Technical Details


  • The following file is created:

    • %System%\workstation.dll

  • The following registry entry is created:

    • HKEY_LOCAL_MACHINE\SYSTEM\NOD32Leading

  • The following registry entry is modified:

    • HKEY_LOCAL_MACHINE\SYSTEM\NOD32Leading\lanmanworkstation\parameters\
        servicedll = %System%\workstation.dll

  • The following is the IP address that it connects to, as well as the port that is uses:

    • 114.244.40.77:8047


Description Last Updated Date: Oct 08, 2009
Reference: ID - 1064599