BKDR_PRAYER.13

Malware type: Backdoor

Aliases: Backdoor.Win32.Prayer.13 (Kaspersky), TR/Prayer.13.Srv (Avira), Backdoor:Win32/Prayer_1_3 (Microsoft)

In the wild: No

Destructive: No

Language: Portuguese

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This backdoor program enables a remote user control over an infected computer. It consists of a server part and a client part. It uses the server part to infect a target computer and the client part to control an infected computer. It compromises network security.

For additional information about this threat, see:

Description created: Nov. 6, 2000 12:15:29 PM GMT -0800
Description updated: Oct. 7, 2001 6:23:47 PM GMT -0800


TECHNICAL DETAILS


Size of malware: Client = 418,304 Bytes
Server = 226,304 Bytes

Payload 1: (it compromises network security)

Trigger condition 1: Upon Execution

Details:
Server side:
Upon execution, the server side of this backdoor malware installs itself on the infected computer. It copies itself to a C:\Windows\System\DLLS32.EXE file.

It modifies the registry as follows:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
SystemFiles "C:\WINDOWS\SYSTEM\dlls32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
SysFiles "C:\WINDOWS\SYSTEM\dlls32.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Run
SystemFiles "C:\WINDOWS\SYSTEM\dlls32.exe"

When DLLS32.EXE is loaded and it has installed itself, it enables a remote hacker running the client side access and control over the infected system.

Client Side:
To control and access, the client side asks for the IP address of the infected computer and then connects to the system at once. Upon execution, it displays an interface with the following text strings:

Ver. 1.3
For Windows 95/98
Aperte ENTER
para niciar

The Prayer Trojan

By Isneiqui {TITH}

When the screen in clicked it displays a Graphical User Interface where a remote hacker inputs the IP address of an infected computer that is ready for access. It is from this User Interface that a hacker accesses all files in all the drives of an infected system or send messages to an infected user.


SOLUTION


Minimum scan engine version needed: 5.400

Pattern file needed: 0.672.00

Pattern release date: Mar 14, 2000


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

  1. Click Start>Run, type REGEDIT and then press the Enter key.
  2. Double click the following and then delete the registry entry, SystemFiles "C:\WINDOWS\SYSTEM\dlls32.exe":
    • HKEY_CURRENT_USER>Software>Microsoft
      >Windows>CurrentVersion>Run SystemFiles "C:\WINDOWS\SYSTEM\dlls32.exe"
    • HKEY_USERS>.DEFAULT>Software>Microsoft>Windows
      >CurrentVersion>Run SystemFiles "C:\WINDOWS\SYSTEM\dlls32.exe"
  3. Double click the following and then delete the registry entry, SysFiles, �C:\WINDOWS\SYSTEM\dlls32.exe�:
    HKEY_LOCAL_MACHINE>Software>Microsoft
    >Windows>CurrentVersion>Run SysFiles "C:\WINDOWS\SYSTEM\dlls32.exe"
  4. Scan your system with Trend Micro antivirus and delete all files detected as BKDR_PRAYER.13. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro�s free online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.