Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/Spyrat.D


Aliases:


Backdoor:W32/Spyrat.D

Malware
Backdoor
W32

Summary

A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Installation

The malware creates a dummy winlogon.exe process where it runs its malicious threads and drops the following copy:

  • %appdata%\Winlogon\winlogon.exe

It also creates a legitimate winlogon.exe to %windir%\system32\install\Windows.exe.


Registry

The malware creates the following registry launch point:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run %path_of_executed_file% = %appdata%\Winlogon\winlogon.exe

The following registry entries would also be created:

  • HKEY_CURRENT_USER\Software\chuck norris FirstExecution = %date_time% NewIdentification = "chuck norris" NewGroup = 2

Backdoor Functionality

The malware is a reverse connection remote administration tool. It connects to chucknorris.zapto.org at port 150 to get its command.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free