Win32/Prosiak [Threat Name] go to Threat

Win32/Prosiak.AC [Threat Variant Name]

Category trojan
Size 242156 B
Detection created Nov 20, 2017
Detection database version 16440
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­gdi32.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "Microsoft DLL Loader" = "gdi32.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RConfig]
    • "Startup" = "%flag1%"
    • "Log" = "%filename1%"
    • "KStartup" = "%flag2%"
    • "Klog" = "%filename2%"
    • "Name" = "%password%"
    • "HPort" = "%port1%"
    • "HAuto" = "%flag3%"
    • "BPort" = "%port2%"
    • "PLocal" = "%port3%"
    • "PRemote" = "%port4%"
    • "PHost" = "%ipaddr1%"
    • "MailHost" = "%url1%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RScript\­%variable1%]
    • "comm" = "%comment1%"
    • "l0" = "%command%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RDate\­%variable2%]
    • "comm" = "%comment2%"
    • "enabled" = "%flag4%"
    • "ilerazy" = "%number1%"
    • "random" = "%number2%"
    • "coile" = "%number3%"
    • "yr1" = "%yearfrom%"
    • "yr2" = "%yearto%"
    • "m1" = "%monthfrom%"
    • "m2" = "%monthto%"
    • "d1" = "%dayfrom%"
    • "d2" = "%dayto%"
    • "h1" = "%hourfrom%"
    • "h2" = "%hourto%"
    • "mi1" = "%minutefrom%"
    • "mi2" = "%minuteto%"
    • "dw1" = "%weekdayfrom%"
    • "dw2" = "%weekdayto%"

A string with variable content is used instead of %variable1-2% .


The trojan may create the following files:

  • %system%\­kbdlog.vxd
  • %system%\­keylog.log
  • %system%\­prolog.vxd
  • %system%\­rbkwd.vxd

The trojan may delete the following files:

  • %system%\­msrsdk.exe
  • %system%\­mstx32.exe
  • %system%\­rundll.exe
  • %system%\­vbrun60.exe
  • %system%\­windll32.exe
Information stealing

Win32/Prosiak.AC is a trojan that steals sensitive information.


The following information is collected:

  • user name
  • computer name
  • logged keystrokes
  • screenshots
  • current screen resolution
  • data from the clipboard
  • the path to specific folders
  • list of disk devices and their type
  • list of files/folders on a specific drive
  • window text content
  • memory status

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP, TCP, SMTP protocol is used.


It may perform the following actions:

  • run executable files
  • execute shell commands
  • set up a remote control server
  • set up a proxy server
  • set up an HTTP server
  • send mail
  • open a specific URL address
  • create Registry entries
  • delete Registry entries
  • various file system operations
  • send the list of files on a specific drive to a remote computer
  • send files to a remote computer
  • log keystrokes
  • simulate keyboard activity
  • block keyboard and mouse input
  • set clipboard data
  • steal information from the Windows clipboard
  • capture screenshots
  • show/hide application windows
  • display a dialog window
  • hide taskbar
  • open the CD/DVD drive
  • play sound/video
  • swap mouse buttons
  • manipulate application windows
  • change the user name
  • change the computer name
  • turn the display off
  • log off the current user
  • shut down/restart the computer
  • remove itself from the infected computer

The trojan hides its running process.

Please enable Javascript to ensure correct displaying of this content and refresh this page.