Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Protori-Fam

Mar 17, 2004 12:58AM PST

Aliases
W32/Protoride.worm, W32.Protoride.Worm

Type
Win32 worm

Description
The W32/Protoride family of Windows worms spread via network shares. They also have a backdoor component that allows unauthorised remote access to the computer via IRC channels.
W32/Protori-Fam worms usually attempt to copy themselves to the Windows system folder with the filename rdpty.exe and then set the following registry entry so as to run themselves before all EXE files:

HKCR\exefile\shell\open\command

W32/Protori-Fam worms usually attempt to copy themselves to msupdate.exe in the startup folder of shared network computers.

W32/Protori-Fam worms may also set the following registry entry:

HKLM\Software\BeyonD inDustries\ProtoType[v2]

W32/Protori-Fam worms remains resident, usually running in the background as a service process and listening for commands from remote users via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32protorifam.html

Discussion is locked