File: 3083.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (141 lines) | stat: -rw-r--r-- 3,617 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
Rule: 

--
Sid: 
3083
-- 
Summary: 
This event is generated when a Y3KRAT 1.5 server attempts to confirm the client's response.

-- 
Impact: 
If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine.

--
Detailed Information:
Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. 

The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String):

AIM Passwords: aolpwd
AIM Spy: aolspy
Change Internet Explorer Caption: changeiecaptest
Chat With Server: chatsrvY3K Rat user
Clipboard: pastefromclip
Change Desktop Color Scheme: clsys
Change Recycle Bin Name: nrbin
Change System Name: sysname
Change Time: time
Video List: getvideolist
Dialup: autoconnect
Access Directories: getclientgetpaths
Get Directory Paths: getpaths
Disable Mouse Buttons: dbuttons
Disable Num Lock: dnumlock
Disable System Keys: dsyskeys
Disable All Keys: dkeys{all}
DOS Commands: doscommands
Fast Mouse: fastmouseon
Find File: findfile
Flip Screen: flip1hor
FTP: openftp21
Go To URL: gotourl
Hide Taskbar: hidetask
Hide Clock: hideclock
Hide Desktop Icons: hidedeskicons
Hide Start Button: hidestart
Hide System Tray: hidesystray
ICQ Information: getclienticqinfo
ICQ Passwords: geticqpass
ICQ Spy: icqspy
Internet Explorer Spy: iespy
General Information: general
Lights On: lightson
Lights Off: lightsoff
Live Shot: cap
Logged Passwords: getpasses
Logoff: boot41
Make File: makefile
Matrix Chat: matrix
Modify File (Read System File): readsysfiles
Modify File (Write System File): writesysfiles
Monitor Off: enablestandby
Mouse Settings (Set Position): setpos
Mouse Settings (Freeze Mouse Position): freezepos
Mouse Settings (Speed Up Cursor): speedcursor
MSN Spy: msnspy
Napster Spy: napsterspy
Net Get: netget
NetStat (Read): netstatread
NetStat (Kill): netstatkill
CD-ROM open: cdopen
CD-ROM close: cdclose
Open File: getfiles
Overclock: upmhz
Play Sound: snd (*followed by the sound, for example, err for the error sound*)
Power Off: boot31
Print: print
Ras Passwords: getras
Remove Server: killserver
Change Resolution: setdevmode
Restart: boot21
Safe Mode: safemode
Screenshot: cap
Send Keys: sendtextf
Send Message: messText
Show Windows With Text: showwin
Shutdown: boot11
Swap Mouse Buttons: swapbuttons
Write System Error: writesystem
Yahoo Spy: yahoospy


--
Affected Systems:
	Windows 95, 98, ME, NT, 2000

--
Attack Scenarios: 
The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.
Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program
to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and 
presses the connect button and he has access to your computer.

-- 

Ease of Attack: 
Simple

-- 
False Positives:
None known

--
False Negatives:
None known

-- 
Corrective Action: 
Remove the Dcomcnofg key located at the following places in the registry:
HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run 
HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run

Reboot the computer or close Dcomcnofg.exe.

Delete Dcomcnofg.exe from the windows system directory.

If found, delete server.exe and kill the process called server.exe.

--
Contributors:
Sourcefire Research Team
Ricky Macatee <rmacatee@sourcefire.com> 

-- 
Additional References:

Dark-E:
http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml

--