Event ID - 30

Port No30
Service NameBackDoor.Krass
RFC Doc0
ProtocolTCP
DescriptionThis is a backdoor malware that allows a remote user to access an infected PC. It has two parts, the server part, which is 232,960 Bytes in length and the client part is 471,552 Bytes in length
Reference LinkBackDoor.Krass
AttackSolutions:

This backdoor malware consists of two parts, the client program and the server program. The server program allows a remote user to control the infected PC, while the client program, once executed can log-in to the server program and remotely control the PC.

The server program creates a socket and binds it to port 456. It listens to this port to establish a connection with the client program and uses the name "Explorer" to avoid detection. Once the server establishes a connection with the client, the client can now have access to the infected PC remotely.

The client program enables a remote user who is running it, to establish a link to the infected PC. The remote user can now perform any of the following on the infected PC:

Enable Disk Access (R/W)
Delete Files/Folder
Run an application
Download File
View the victims running processes
Get RAS passwords
The client program also contains some useful functions, so that it can be used as a standalone program. It has an option to change any window’s title, properties and buttons, and view a window’s registered class name.

The server program has one hidden switch, when enabled prevents the client program from doing any disk access. With this, the server program becomes useless. The only thing the client program can then do is "view" the running processes of the victims PC. To enable this feature, the switch /SECRET should be added in the command line. The program displays a window with four options:

Disable RAS Password
Disable Disk Access
Disable File Deleting
Disable Button Clicking
Both programs do not modify any files and can easily be closed. The server program can be closed by just hitting the (x) close button or by pressing Ctrl-Alt-Del. While the client program can be closed by choosing "exit".

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.