📄 3082.txt
字号:
Rule: --Sid: 3082-- Summary: This event is generated when a Y3KRAT 1.5 client attempts to respond to the Y3KRAT 1.5 server.-- Impact: If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine.--Detailed Information:Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String):AIM Passwords: aolpwdAIM Spy: aolspyChange Internet Explorer Caption: changeiecaptestChat With Server: chatsrvY3K Rat userClipboard: pastefromclipChange Desktop Color Scheme: clsysChange Recycle Bin Name: nrbinChange System Name: sysnameChange Time: timeVideo List: getvideolistDialup: autoconnectAccess Directories: getclientgetpathsGet Directory Paths: getpathsDisable Mouse Buttons: dbuttonsDisable Num Lock: dnumlockDisable System Keys: dsyskeysDisable All Keys: dkeys{all}DOS Commands: doscommandsFast Mouse: fastmouseonFind File: findfileFlip Screen: flip1horFTP: openftp21Go To URL: gotourlHide Taskbar: hidetaskHide Clock: hideclockHide Desktop Icons: hidedeskiconsHide Start Button: hidestartHide System Tray: hidesystrayICQ Information: getclienticqinfoICQ Passwords: geticqpassICQ Spy: icqspyInternet Explorer Spy: iespyGeneral Information: generalLights On: lightsonLights Off: lightsoffLive Shot: capLogged Passwords: getpassesLogoff: boot41Make File: makefileMatrix Chat: matrixModify File (Read System File): readsysfilesModify File (Write System File): writesysfilesMonitor Off: enablestandbyMouse Settings (Set Position): setposMouse Settings (Freeze Mouse Position): freezeposMouse Settings (Speed Up Cursor): speedcursorMSN Spy: msnspyNapster Spy: napsterspyNet Get: netgetNetStat (Read): netstatreadNetStat (Kill): netstatkillCD-ROM open: cdopenCD-ROM close: cdcloseOpen File: getfilesOverclock: upmhzPlay Sound: snd (*followed by the sound, for example, err for the error sound*)Power Off: boot31Print: printRas Passwords: getrasRemove Server: killserverChange Resolution: setdevmodeRestart: boot21Safe Mode: safemodeScreenshot: capSend Keys: sendtextfSend Message: messTextShow Windows With Text: showwinShutdown: boot11Swap Mouse Buttons: swapbuttonsWrite System Error: writesystemYahoo Spy: yahoospy--Affected Systems: Windows 95, 98, ME, NT, 2000--Attack Scenarios: The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner programto find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and presses the connect button and he has access to your computer.-- Ease of Attack: Easy. Simply a matter of pressing the connect button once the victim has installed the server.-- False Positives:None known--False Negatives:None known-- Corrective Action: Remove the Dcomcnofg key located at the following places in the registry:HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\RunReboot the computer or close Dcomcnofg.exe.Delete Dcomcnofg.exe from the windows system directory.If found, delete server.exe and kill the process called server.exe.--Contributors:Sourcefire Research TeamRicky Macatee <rmacatee@sourcefire.com> -- Additional References:Dark-E:http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml--⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -