| Port No | 2583 |
| Service Name | WinCrash |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | WinCrash 2 has a new client. When we tried to use the client, it crashed. Even though the client does not seem to work, WinCrash 2 does have a few new features. One of these features is the ability to use your computer to send email. Also note that WinCrash moves regedit.exe to redit.bak |
| Reference Link | WinCrash |
| Attack | Autoloads: Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key: WinManager
Features: Access floppy drive repeatedly Capture screen Change date Change or remove desktop wallpaper Chat Clipboard lock on/off Close all programs Close ICQ, IE or mIRC Control mouse Disable/enable start button Exit or shutdown windows Flash caps, locks and scrolls lock Flip screen Flood printer File manager Find file Freeze mouse Get ICQ UIN Get passwords Get system information Hide/show start button Hide/show task bar Lock up system Monitor on/off Open/Close CD-Rom Open control panel applets Play wav file Screen saver bomb on/off Send email using the servers computer Start screen saver System keys on/off View active process Fix: Rename redit.bak to regedit.exe. Locate and write down the trojan file in MsManager key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Then delete the WinManager key. Which can be done with regedit or any other registry editing program. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=trojan file that was in the registry under [Windows], this can be done with any text editing program. Reboot the computer or close the trojan listed in the registry. Delete the trojan file that was listed in the registry and delete Register.exe in the windows system directory. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.