WCRAT

· Overview ·
· Origins ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview

Summary:

 A Windows remote control trojan coded in Delphi. The client is in C and runs on unix. Includes a tool (LookItUp.c) to test a host for infection.

Vendor Notes:

 from the doc: ' connect/open disconnect exec del/delete type get getkeylog winopen setwallpaper/wallpaper saveclipboard/saveclip serial maxcolours username screenresolution/screenres ask reboot shutdown'

Alias:

 Backdoor.WCRat.12

Category:

RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.

Variants:
  • WCRAT (wC Remote Administration Tool) 1.1B
  • WCRAT (wC Remote Administration Tool) 1.2B
  • wCRAT 1.2b
    		•

    Similar Pests:

    		 RAT

    Origins

    Author:

    		 wc,

    By This Author:

    		 Apcd Local Xploit · Asmon Local Exploit · Awcrash.c · DoS against Alibaba 2.0 WebServer · Gnapster/Knapster View File Exploit · Gopher+[v2.3.1p0-] Daemon remote Xploit · IISDoS · Mobius DocumentDirect for the Internet 1.2 Buffer Overflow Vulnerabilities · NetMetro · NetMetro 1.0 · NetMetro 1.04 · Netmetro Patch · NetWare Trojan · ProFTPD 1.2pre4 Remote Buffer Overflow Xploit · Robotex Viking Server Buffer Overflow Vulnerability · SetXConf Exploit (Corel 1.0) · SuSe Local tmp Xploit · WCRAT (wC Remote Administration Tool) 1.1B · WCRAT (wC Remote Administration Tool) 1.2B · wCRAT 1.2b

    Programming Language:

    		 Delphi

    Date of Origin:

    		 Variants from February, 2000 to April, 2000

    Operation

    Default Port:

    		 5343 TCP More info about ports.

    Storage Required:
  • WCRAT (wC Remote Administration Tool) 1.1B: at least 305 KB
  • WCRAT (wC Remote Administration Tool) 1.2B: at least 317 KB
    		•

    Restart:

    		 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MS Windows System Explorer"
    Autostarting Pests

    Risks

    Detection Issues:

    		 Difficult to detect by design. May hide from process list. May install with variable names in variable locations.

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove WCRAT from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 July 08, 2004