Backdoor:W32/WinCrash

Threat description

Details

CATEGORYMalware
TYPEBackdoor
PLATFORMW32

Summary

A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.



Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Manual Removal

You can remove the backdoor manually by deleting WinCrash server (usually SERVER.EXE) file from \WINDOWS\SYSTEM folder in pure DOS or after booting from clean system diskette.

Technical Details

Like most backdoor, WinCrash has both aserver andclient components. The server component is installed on a system the attacker wishes to target; once installed, the attacker can then issue commands to the server component via aclient component, in order to control the infected machine.

The default name for the server component is SERVER.EXE and it is a standalone EXE application. When the server part is run it installs itself to system, usually by copying itself to \Windows\System directory with the name of the file it was started from, and modifying the Windows Registry so that it can run automatically during all future Windows sessions. Being active in memory, the server part listens to certain TCP/IP ports for commands from a client part.

A client part is a standalone EXE application with dialog interface that allows the attacker to control the remote system. The client part has a status window that allows to see what 'features' of WinCrash backdoor are currently enabled.

The following is the list of WinCrash features (and comments for them):

External Devices:

  • Keyboard Light Bomb - blink keyboard lights continuously
  • Open/Close CD-ROM Drive
  • Mouse control - move, lock, unlock
  • Flood Server Printer
  • Monitor control - on/off
  • Flip Screen

Windows Control:

  • System Keys - on/off
  • Clipboard Lock/Unlock
  • ScreenSaver Bomb - on/off
  • TaskBar control - show/hide
  • Start Button control - show/hide
  • Desktop Wallpaper control - remove/change
  • Date control - set new date on remote system

WinCrash Server Administration:

  • Close Server - disable server part
  • Delete Server Application - delete server part
  • Lockup System - this crashes Windows on remote system
  • Close All Programs
  • Exit Windows
  • Shutdown Windows

Server Communications:

  • Chat - chat with remote user, flood (open a lot of messageboxes)
  • Send Text - send text to remote system
  • Get Server Information - get information about remote system
  • View Remote Passwords - doesn't always work
  • View Remote Netstat - get output from NETSTAT on remote system
  • View Active Processes

File Manager:

  • Open Server Hard Disk - open ftp connection for remote hard disk
  • Play WAV files
  • Delete and Execute Files
  • Modify Remote Autoexec.bat - replace contents with crap

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info