Summary
A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Disinfection & Removal
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Technical Details
Installation
The malware creates a dummy winlogon.exe process where it runs its malicious threads and drops the following copy:
- %appdata%\Winlogon\winlogon.exe
It also creates a legitimate winlogon.exe to %windir%\system32\install\Windows.exe.
Registry
The malware creates the following registry launch point:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run %path_of_executed_file% = %appdata%\Winlogon\winlogon.exe
The following registry entries would also be created:
- HKEY_CURRENT_USER\Software\chuck norris FirstExecution = %date_time% NewIdentification = "chuck norris" NewGroup = 2
Backdoor Functionality
The malware is a reverse connection remote administration tool. It connects to chucknorris.zapto.org at port 150 to get its command.
Submit a sample
Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)
Give And Get Advice
Give advice. Get advice. Share the knowledge on our free discussion forum.
Scan and clean your PC
F-Secure Online Scanner will scan and clean your PC in just a few minutes for free