| Port No | 48 |
| Service Name | DRAT |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | This backdoor program acts as a remote Telnet server for Windows PC. It does not add an entry in the Windows directories so that it executes after the infected system reboots but it modifies a registry entry so that it loads when an EXE file is executed. It compromises network security |
| Reference Link | DRAT |
| Attack | Solution: Windows 9x Do not delete the backdoor file before doing the following cleaning procedure. Restart your computer in MS-DOS mode, click on Start > Shut Down, choose "Restart in MS-DOS mode". In the C:\ Enter the following commands: regedit/e file.reg hkey_classes_root\exefile shell\open\command Edit the file FILE.REG. Look for the below entry: @="SHELL32 \"%1\" %*" Delete SHELL32, the entry should appear as follows: @="\"%1\" %*" Save and close the file. Import the newly edited FILE.REG to the registry. Type the following command: regedit file.reg Type exit to return to Windows. Windows NT Click Start > Run, type REGEDIT.EXE and then press ENTER. Press CTRL-ALT-DEL, choose Task Manager. In the next window, look for the process that pertains to the backdoor. The process can be the filename of the backdoor file that has been executed. Highlight the name of the backdoor process and click on the End Process button. Go back to the Registry Editor window and follow the below path: hkey_classes_root\exefile\shell\open\command On the right hand panel, choose the registry entry that contains the below value: SHELL32 "%1" %* Right-click on the name of the registry value and choose the modify option In the edit string dialog box delete the below word contained before the "%1"%*: SHELL32 Final value of the said entry should be: "%1"%* Click on the OK button on the Edit String window to save the new entry Close the Registry Editor window |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.