Port No | 31 |
Service Name | BackDoor.Krass |
RFC Doc | 0 |
Protocol | TCP |
Description | This is a backdoor malware that allows a remote user to access an infected PC. It has two parts, the server part, which is 232,960 Bytes in length and the client part is 471,552 Bytes in length. |
Reference Link | BackDoor.Krass |
Attack | Solutions: This backdoor malware consists of two parts, the client program and the server program. The server program allows a remote user to control the infected PC, while the client program, once executed can log-in to the server program and remotely control the PC. The server program creates a socket and binds it to port 456. It listens to this port to establish a connection with the client program and uses the name "Explorer" to avoid detection. Once the server establishes a connection with the client, the client can now have access to the infected PC remotely. The client program enables a remote user who is running it, to establish a link to the infected PC. The remote user can now perform any of the following on the infected PC: Enable Disk Access (R/W) Delete Files/Folder Run an application Download File View the victims running processes Get RAS passwords The client program also contains some useful functions, so that it can be used as a standalone program. It has an option to change any window’s title, properties and buttons, and view a window’s registered class name. The server program has one hidden switch, when enabled prevents the client program from doing any disk access. With this, the server program becomes useless. The only thing the client program can then do is "view" the running processes of the victims PC. To enable this feature, the switch /SECRET should be added in the command line. The program displays a window with four options: Disable RAS Password Disable Disk Access Disable File Deleting Disable Button Clicking Both programs do not modify any files and can easily be closed. The server program can be closed by just hitting the (x) close button or by pressing Ctrl-Alt-Del. While the client program can be closed by choosing "exit". |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.