1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Shadesrat Activity 3

System Infected: W32.Shadesrat Activity 3

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Shadesrat activity on the compromised machine

Additional Information

This worm may arrive on the computer at a location and using a file name specified by the attacker, for example:
%CurrentFolder%\[THREAT FILE NAME].exe

When the worm executes, it creates the following registry subkey:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\[EIGHT TO TEN RANDOM CHARACTERS]

Next, it modifies the following registry entry in order to add itself to the list of applications authorized by the Windows firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%CurrentFolder%\[THREAT FILE NAME].exe" = "%CurrentFolder%\[THREAT FILE NAME].exe:*:Enabled:Windows Messanger"

The worm then connects to a remote location allowing an attacker to perform the following commands on the compromised computer:

Hijack the audio or video on the compromised computer
Inject itself into other running executable files
Perform DDOS attacks through UDP flooding
Record all keystrokes
Run as a proxy, redirecting an attackers traffic
Sniff network traffic
Upload or download files through HTTP and FTP

Affected

  • Various windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube