Backdoor:W32/WinCrash

Classification

Category :

Malware

Type :

Backdoor

Aliases :

WinCrash, Trojan.wincrash., Trojan.wincrash.a, Trojan.wincrash.b

Summary

A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

You can remove the backdoor manually by deleting WinCrash server (usually SERVER.EXE) file from \WINDOWS\SYSTEM folder in pure DOS or after booting from clean system diskette.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Like most backdoor, WinCrash has both aserver andclient components. The server component is installed on a system the attacker wishes to target; once installed, the attacker can then issue commands to the server component via aclient component, in order to control the infected machine.

The default name for the server component is SERVER.EXE and it is a standalone EXE application. When the server part is run it installs itself to system, usually by copying itself to \Windows\System directory with the name of the file it was started from, and modifying the Windows Registry so that it can run automatically during all future Windows sessions. Being active in memory, the server part listens to certain TCP/IP ports for commands from a client part.

A client part is a standalone EXE application with dialog interface that allows the attacker to control the remote system. The client part has a status window that allows to see what 'features' of WinCrash backdoor are currently enabled.

The following is the list of WinCrash features (and comments for them):

External Devices:

  • Keyboard Light Bomb - blink keyboard lights continuously
  • Open/Close CD-ROM Drive
  • Mouse control - move, lock, unlock
  • Flood Server Printer
  • Monitor control - on/off
  • Flip Screen

Windows Control:

  • System Keys - on/off
  • Clipboard Lock/Unlock
  • ScreenSaver Bomb - on/off
  • TaskBar control - show/hide
  • Start Button control - show/hide
  • Desktop Wallpaper control - remove/change
  • Date control - set new date on remote system

WinCrash Server Administration:

  • Close Server - disable server part
  • Delete Server Application - delete server part
  • Lockup System - this crashes Windows on remote system
  • Close All Programs
  • Exit Windows
  • Shutdown Windows

Server Communications:

  • Chat - chat with remote user, flood (open a lot of messageboxes)
  • Send Text - send text to remote system
  • Get Server Information - get information about remote system
  • View Remote Passwords - doesn't always work
  • View Remote Netstat - get output from NETSTAT on remote system
  • View Active Processes

File Manager:

  • Open Server Hard Disk - open ftp connection for remote hard disk
  • Play WAV files
  • Delete and Execute Files
  • Modify Remote Autoexec.bat - replace contents with crap