Win32/Skrat [Threat Name] go to Threat

Win32/Skrat.C [Threat Variant Name]

Category trojan
Size 1611872 B
Detection created Oct 23, 2014
Detection database version 10608
Aliases Backdoor.Win32.Skrat.20 (Kaspersky)
  Backdoor:Win32/Vrat.D (Microsoft)
Short description

Win32/Skrat.C is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­%variable1%

The trojan creates the following file:

  • %windir%\­%variable2% (50176 B)

The trojan may create the following files:

  • %system%\­comdlg32.ocx (140488 B)
  • %system%\­mscomctl.ocx (1066176 B)
  • %system%\­mswinsck.ocx (108336 B)
  • %windir%\­eimsn.exe (57344 B)
  • %windir%\­sc_sc0.exe (106496 B)
  • %currentfolder%\­upx.exe (126464 B)
  • %currentfolder%\­ClientData.dat (80 B)
  • %currentfolder%\­server.exe (34304 B)
  • %windir%\­system32\­win32system.dat
  • %windir%\­system32\­screen.jpg
  • %windir%\­Pplugin9.dat
  • %system%\­sys_sc.dll (95744 B)
  • C:\­script.bat

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows32Bit Service" = "%windir%\­%variable1%"

A string with variable content is used instead of %variable1-2% .

Information stealing

Win32/Skrat.C is a trojan that steals passwords and other sensitive information.


The trojan collects information related to the following applications:

  • MSN Messenger

The trojan collects the following information:

  • operating system version
  • hardware information

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan may execute the following commands:

  • regsvr32 comdlg32.ocx
  • regsvr32 mscomctl.ocx
  • regsvr32 mswinsck.ocx

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • show fake alerts
  • steal information from the Windows clipboard
  • steal social network account credentials
  • log keystrokes
  • capture screenshots
  • manipulate application windows
  • sending various information about the infected computer
  • various file system operations
  • terminate running processes
  • shut down/restart the computer
  • log off the current user
  • various Registry operations
  • start/stop services
  • upload files to a remote computer

After the installation is complete, the trojan deletes the original executable file.

Please enable Javascript to ensure correct displaying of this content and refresh this page.