File Analysis ============= Copyright (C) 1999, Diamond Computer Systems Pty. Ltd. http://www.diamondcs.com.au 12-6-1999 NAME: Drat TYPE: Remote Access Trojan SIZE: 75,264 bytes PORT: TCP 48 - port number is fixed. TCP 50 - port number is fixed. RAT.Drat is a telnet-based trojan that uses stealth code from Back Orifice 2000 to inject itself into the threads of live processes by changing the export locations in the operating systems global ATI table. It's execution is silent, during which time it copies itself to Windows\SHELL32.EXE, and modifies the two following registry entries: HKEY_CLASSES_ROOT exefile\shell\open\command\(Default) HKEY_CLASSES_ROOT batfile\shell\open\command\(Default) The value of these two keys normally defaults to "%1" %* Drat changes these values to SHELL32 "%1" %* What this means is that everytime a .exe or .bat file is executed, Windows executes the file through SHELL32.EXE, causing the trojan to load each time. Disinfection is standard as per almost all trojans - simply kill the process from memory, and delete it's parent .exe file. However, now comes the unusual twist in this RAT. We won't be able to execute any .exe or .com files at this stage. No matter how we try to execute them, Windows will keep asking you to locate SHELL32.EXE, as this file no longer exists. This is fixed by changing the two registry values back to "%1" %* If we can't run any .exe or .bat files, how can we run regedit.exe? The trojan fails to take out comfile\shell\open\command\(Default), which means that although you won't be able to run regedit.exe from Windows, you'll be able to shell to your DOS prompt (command.com) and run it from there. (DOS doesn't use registry keys when executing files). The stealth component of this trojan is also it's main weakpoint. The trojan copies itself to Windows\SHELL32.EXE from it's memory image - this "image" being the uncompressed, unencrypted version. This means that no matter what compression or encryption algorithms are used on the original .exe, Drat will always save it's unpacked version to Windows\SHELL32.EXE (75,264 bytes). Encryption Scheme ================= Drat communications are unencrypted and in plaintext, allowing a hacker to use telnet to connect and control the server. However, Drat has built-in LZH compression, and a simple encryption scheme. The encryption works 2 bytes at a time. The first byte has 2 added to it's ASCII value. The second byte has 3 subtracted from it's ASCII value. These two new bytes are then saved, and the next two in the string are taken. Three strings inside the unpacked executable are encrypted. These strings are: BYTE POSITION 56352 Encrypted hqr+zlqj0`qj Decrypted ftp.xoom.com 56368 Encrypted Vbh\qfn\R^v Decrypted Tef_oil_Pat 56416 Encrypted Ulhqy^tb^Jk`tlulhq^Tkkflyp^@wotbpqXbtpklpYKkvbtkgq"Pgqvfpdu.....Gkc_nbCrvlffci Decrypted Software\Microsoft\Windows\CurrentVersion\Internet Settings1,1,1EnableAutodial Drat allows the hacker to enter their own UIN number into the executable, so that when an infected machine connects to the internet, it will notify the hacker that they are online. The server can also be password- locked, and these two values are both encrypted using the same encryption scheme. The UIN is a 9-byte string, and starts at byte 56402. The password is a 16-byte string, and starts at byte 64641. Both values are terminated with null characters (ASCII 0). Disinfection ============ Method 1 ======== Using telnet, connect to port 48 on your system, log-in with the password if it exists, and then send the command "erad". Erad is Drat's built-in self-destruct code, which will remove the server completely. Method 2 ======== (Must be done in order) Start regedit.exe (and then minimise it) Ctrl-Alt-Del - kill the infected process Delete SHELL32.EXE from your Windows directory Using regedit, change the following two keys HKEY_CLASSES_ROOT exefile\shell\open\command\(Default) New value="%1" %* HKEY_CLASSES_ROOT batfile\shell\open\command\(Default) New value="%1" %* IF YOU MAKE A MISTAKE AND CAN'T RUN ANY .EXE FILES Shell to DOS Prompt (it's a .com file!) Start regedit.exe from there