McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Nuclearat.10 – Dr.Web

• Backdoor.Win32.Nuclear.h – Kaspersky

• W32/Nuclear.f – Eset Nod32

• W32/Nuclear.k - Norman

Characteristics

Backdoor-CQN is a Remote Access Trojan consisting of a server component, client component and a server editor component.

The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Component:

When the server component is executed, the Trojan drops itself to the 
%system% folder and creates registry entries to run on system startup.

Once running, the server component connects to a pre-defined IP address on a pre-defined port, awaiting for commands from the attacker

Note: %System% is a variable location and refers to the windows system directory.

Client Component:

The client component runs on the attacker’s computer, and connects to the server component on the victim’s machine remotely.

The following are a list of some of the functions that are available to the attacker:

• Process Manager (List, kill running processes)
• File Manager (List, upload, download, delete)
• Registry Manager (Browse Registry, add, edit, delete keys)
• Windows Manager (Browse, close, maximize/minimize, rename)
• Get system information
• Extract passwords from machine
• Key logger
• Read/Modify contents of the clipboard
• Screen capture
• Pranks played on the victim (Hiding desktop icons, start button, taskbar, opening and closing CD-Rom)
• Desktop logoff, reboot or shutdown
• FTP-server, Telnet-Server
• Format drives

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The editor component is also used for the following:

• Set the IP address/DNS name the server has to connect to
• Change the icon for the server created, to make it look legitimate
• Set a custom “Fake Error Message” when the server is executed by the victim
• Set the startup method for the Trojan
• Choose from a range of notification methods. This is to notify the attacker about the victim’s IP address and name

Miscellaneous Information:

• This Trojan is written in Delphi
• The author’s intended name for the Trojan is “Nuclear RAT”

Symptoms

• Desktop firewall program alerting that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component

Method of Infection

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Nuclearat.10 – Dr.Web

• Backdoor.Win32.Nuclear.h – Kaspersky

• W32/Nuclear.f – Eset Nod32

• W32/Nuclear.k - Norman

Characteristics

Characteristics -

Backdoor-CQN is a Remote Access Trojan consisting of a server component, client component and a server editor component.

The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Component:

When the server component is executed, the Trojan drops itself to the 
%system% folder and creates registry entries to run on system startup.

Once running, the server component connects to a pre-defined IP address on a pre-defined port, awaiting for commands from the attacker

Note: %System% is a variable location and refers to the windows system directory.

Client Component:

The client component runs on the attacker’s computer, and connects to the server component on the victim’s machine remotely.

The following are a list of some of the functions that are available to the attacker:

• Process Manager (List, kill running processes)
• File Manager (List, upload, download, delete)
• Registry Manager (Browse Registry, add, edit, delete keys)
• Windows Manager (Browse, close, maximize/minimize, rename)
• Get system information
• Extract passwords from machine
• Key logger
• Read/Modify contents of the clipboard
• Screen capture
• Pranks played on the victim (Hiding desktop icons, start button, taskbar, opening and closing CD-Rom)
• Desktop logoff, reboot or shutdown
• FTP-server, Telnet-Server
• Format drives

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The editor component is also used for the following:

• Set the IP address/DNS name the server has to connect to
• Change the icon for the server created, to make it look legitimate
• Set a custom “Fake Error Message” when the server is executed by the victim
• Set the startup method for the Trojan
• Choose from a range of notification methods. This is to notify the attacker about the victim’s IP address and name

Miscellaneous Information:

• This Trojan is written in Delphi
• The author’s intended name for the Trojan is “Nuclear RAT”

Symptoms

Symptoms -

• Desktop firewall program alerting that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component

Method of Infection

Method of Infection -

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A