1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Backdoor:W32/Spyrat.D

Name : Backdoor:W32/Spyrat.D
Detection Names : Backdoor:W32/Spyrat.D
Category:Malware
Type:Backdoor
Platform:W32

Summary

A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.

Additional Details


Installation

The malware creates a dummy winlogon.exe process where it runs its malicious threads and drops the following copy:
  • %appdata%\Winlogon\winlogon.exe


It also creates a legitimate winlogon.exe to %windir%\system32\install\Windows.exe.

Registry

The malware creates the following registry launch point:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    %path_of_executed_file% = %appdata%\Winlogon\winlogon.exe


The following registry entries would also be created:
  • HKEY_CURRENT_USER\Software\chuck norris
    FirstExecution = %date_time%
    NewIdentification = "chuck norris"
    NewGroup = 2



Backdoor Functionality

The malware is a reverse connection remote administration tool. It connects to chucknorris.zapto.org at port 150 to get its command.