| Port No | 5888 |
| Service Name | Y3K RAT ver1.3 |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Y3K RAT 1.3 has a new client and a few new features. At the time Y3K RAT 1.3 was released every infected server was tracked in a text file. This allowed anyone to view this text file and connect to servers. However this text file has been removed. This trojan also has a edit server which allows a ICQ UIN to be notified when your computer comes online and to display a fake error message the first time the server is ran. It does write to the registry in Windows NT but crashes horribly. So, if you are running Windows NT just remove the registry key |
| Reference Link | Y3K RAT |
| Attack | Autoloads: Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Key: Advapi32 Features: Bomb nums, caps and scroll locks Chat with server Click mouse button Enable/Disable Alt-Ctrl-Del File manager Get screen shot Get server info Hang up server ICQ Notify Key logger Lock/unlock at a position Open/Close Cd-Rom Over clock Send message Send to URL Show full window of text Shutdown power off, restart, or log off windows Swap mouse buttons View and change resolution View, clear, change clipboard View, close and hide active processes View desktop, scanner and web cam Write error to system.ini not allowing windows restart (Probably can be fixed by booting into dos) Fix: Remove the Explorer32 key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Which can be done with regedit or any other registry editing program. Reboot the computer or close RundII.exe. Delete the trojan file RundII.exe in the windows directory |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.