A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.
You can remove the backdoor manually by deleting WinCrash server (usually SERVER.EXE) file from \WINDOWS\SYSTEM folder in pure DOS or after booting from clean system diskette.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Like most backdoor, WinCrash has both aserver andclient components. The server component is installed on a system the attacker wishes to target; once installed, the attacker can then issue commands to the server component via aclient component, in order to control the infected machine.
The default name for the server component is SERVER.EXE and it is a standalone EXE application. When the server part is run it installs itself to system, usually by copying itself to \Windows\System directory with the name of the file it was started from, and modifying the Windows Registry so that it can run automatically during all future Windows sessions. Being active in memory, the server part listens to certain TCP/IP ports for commands from a client part.
A client part is a standalone EXE application with dialog interface that allows the attacker to control the remote system. The client part has a status window that allows to see what 'features' of WinCrash backdoor are currently enabled.
The following is the list of WinCrash features (and comments for them):
External Devices:
Windows Control:
WinCrash Server Administration:
Server Communications:
File Manager: