| VID |
24054 |
| Severity |
40 |
| Port |
5880,5802,5838 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Y3K RAT is detected.
Y3K RAT is an trojan horse program created May 2000, which is written in Delphi. It's distributed the version 1.0, 1.1, 1.2, 1.3, 1.4, 1.4b, 1.5, 1.6, 1.6 MegaSecurity, Pro 0.1. This backdoor consists of client.exe(Client program), server.exe(server program) and server editor.exe or server builder.exe(server editing program). It uses 5880, 5802(v1.6), 5838(pro0.1) TCP ports as default port, depending on the version, and simultaneously uses 5882, 5890, 5803, 5839 TCP, 5888, 5889 TCP/UDP. The version more than 1.4 can change with server editing program by a remote attacker. It Includes an ICQ IP sniffer and may send a notification to the attacker's UIN. The server may be configured in many ways using combinations of some 40 features. It can stop local use of the trojan, so nobody will be able use the client on the same machine as the server. As it is possible to alter the various registrations in the Registry, manual removal instruction may not be totally reliable. If this backdoor program is running, you can find the registry key as the follow, depending on the version:
* The registry location:
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'(All Versions)
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices'(V1.4, 1.4b, 1.5)
'HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'(V1.4, 1.4b, 1.5)
* The registry Value Name:
Explorer32 (V1.0, 1.1, 1.2)
Nvarch16 (V1.3)
Msscmc32 (V1.4, 1.4b)
Dcomcnofg (V1.5)
MSCONFIG (V1.6)
* The registry Value Data:
C\WINDOWS\Rundll.exe (V1.0, 1.1, 1.2)
C\WINDOWS\Nvarch16.exe (V1.3)
C\WINDOWS\Advapi32.exe (V1.4, 1.4b)
C\WINDOWS\SYSTEM\Dcomcnofg.exe (V1.5)
C\WINDOWS\SYSTEM\MSCONFIG.exe (V1.6)
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/static/4496.php
http://www.symantec.com/avcenter/venc/data/backdoor.y3krat.12.html
http://www.tlsecurity.net/backdoor/y3k.html |
| Recommendation |
Remove it from your computer :
* For the version 1.0, 1.1 and 1.2 :
1. Remove the "Explorer32" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close Rundll.exe
3. Delete the trojan file Rundll.exe in the windows system directory.
* For the version 1.3 :
1. Remove the "Nvarch16" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close Nvarch16.exe
3. Delete the trojan file Nvarch16.exe in the windows system directory.
* For the version 1.4, 1.4b or 1.5 :
1. Remove the "Msscmc32(or Dcomcnofg)" key in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' and 'HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' by using regedit or any other registry editing program.
2. Reboot the computer or close Nvarch16.exe (or Dcomcnofg.exe)
3. Delete the trojan file Nvarch16.exe (or Dcomcnofg.exe) in the windows system directory.
* For the version 1.6 :
1. Remove the "MSCONFIG" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close MSCONFIG.exe
3. Delete the trojan file MSCONFIG.exe in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
