Backdoor.Win32.S.Agent.49699
| Aliases | Ghost RAT | ||
|---|---|---|---|
| Typical Symptoms | Information leak | ||
| Discovered | [korea] 0000-00-00 [Foreign] 0000-00-00 |
||
| Type | Backdoor | ActiveField | Win32 |
| Destory/Distribution |   |
||
| Origin | others | Encryption | NO |
| Location | File | Memory residence | NO |
| Scan engine needed |
2011-08-09 [Able to detect & repair]
|
||
A. Route of Infection
Backdoor.Win32.S.Agent.49699 does not spread out as itself and it is downloaded from hacked site or other malicious codes such as Spyware, Adware, Dropper, and etc. B. Symptom of Infection1) Backdoor.Win32.S.Agent.49699 is a variant of remote tool, ghost RAT. 2) Backdoor.Win32.S.Agent.49699 runs by loading to RUNDLL32.EXE.
[PIC 1] rundll32.exe Load 3) Backdoor.Win32.S.Agent.49699 runs by registering to service.
[PIC 2] Add to registry 4) Backdoor.Win32.S.Agent.49699 performs malicious actions such as print screen, file transfer, keyboard & mouse control and etc.
[PIC 3] Print screen
[PIC 4] Keyboard & Mouse control
[PIC 5] Data transfer
[PIC 6] File transfer type 5) Backdoor.Win32.S.Agent.49699 seems to access to a C&C server which is located in China and does additional malicious actions via remote session.
[PIC 7] Network access |
[How to repair] Reparable by ViRobot engine ver.2011-08-09.03 or above. |
