Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/McRat.A

Aliases:Trojan-Dropper.Win32.Agent.bkvs (Kaspersky), Trojan.Hydraq (Symantec), Backdoor:Win32/Mdmbot.D (Microsoft) 
Type of infiltration:Trojan  
Size:41984 B 
Affected platforms:Microsoft Windows 
Signature database version:4795 (20100121) 

Short description

Win32/McRat.A is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:
  • %userprofile%%service%.dll (31744 B)
A string with variable content is used instead of %service%.

The trojan registers itself as a system service using the following filename:
  • %variable%
A string with variable content is used instead of %variable%.

In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %service%Parameters]
    "StubPath" = "%filepath%"
    "ServiceDll" = "%userprofile%%service%.dll"
The trojan creates and runs a new thread with its own program code within the following processes:
  • McpRoXy.exe

Information stealing

The trojan collects the following information:
  • operating system version
  • CPU information
  • computer name
  • user name
  • passwords
The trojan can send the information to a remote machine.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

Other information

The trojan is sent data and commands from a remote computer or the Internet. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files
The trojan may create the following files:
  • %temp%%number%.bak
  • %temp%%computername%.ax
  • %temp%%computername%_p.ax
  • %temp%uid.ax
A string with variable content is used instead of %number%, %computername%.

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    SvcHost]
    "%service%" = "%service%"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "%service%" = "rundll32.exe "%profile%%service%.dll", Launch"