Nuclear RAT

Nuclear Remote Administration Tool
Common name	Nuclear RAT
Technical name	Nuclear Remote Administration Tool
Aliases	Backdoor.Delf.jl, Backdoor.Delf.jw, Backdoor.Win32.Nuclear.b, Win-Trojan/NucRAT, Win-Trojan:NucRAT, Win32/Nuclear.AG, Backdoor.Win32.Nuclear.ak
Family	Nuclear RAT
Classification	Trojan
Type	Windows NT, Windows 2000, Windows XP, Windows Server 2003
Subtype	Backdoor
Isolation	2003 - present (new variants being released)
Point of isolation	Unknown
Point of Origin	Brazil
Author(s)	caesar2k

Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).^[1] It uses a server creator, a client and a server to take control over a remote computer. It uses process hijacking to fool the firewall, and allows the server component to hijack processes and gain rights for accessing the internet.

The server component (217,600 bytes) is dropped under Windows, System32, or Program Files folders, under a custom named folder; the default is NR. Once the server component is run, it tries to connect to its client, that listens for incoming connections on a configurable port, to allow the attacker to execute arbitrary code from his or her computer.

The server editor component has the following capabilities:

Create the server component
Change the server component's port number and/or IP address / DNS, connection retry interval, direct or reverse connection mode.
Change the server component's executable name, installation folder, target process hijacking
Change the name of the Windows registry startup entry
Change the PHP notify location
Include any plugins to be executed once ran
Include a fake error message that will be showed upon execution

The client component has the following capabilities:

Take screenshots
View webcam shots
Capturing key strokes from the keyboard (keystroke logging)
General information about computer (Username, Timezone, Version installed, Language, Available drives, etc)
Mouse control
Remote BAT/VBS script execution
Monitor resolution
SOCKS 5
HTTP Webserver
Shell console
File Manager (Download files and folders, Delete, Upload, Execute, Rename, Copy, Set Attributes, Create Folder, etc)
Window Manager (Hide, show, close, minimize/maximize, disable/enable X, rename caption, send keys, etc)
Process Manager (kill, unload DLL, list DLLs)
Registry Manager (Create key, edit values REG_DWORD, REG_BINARY, REG_MULTI_SZ, REG_SZ, create values, rename values)
Clipboard manager
Plugins manager (to add extra funcionality to the malware)
Shutdown computer
Message Box
Chat with infected machine
Web downloader
IP Scanner
Port redirect
TCP tunnel
Cam caplute
See Eden/Jimbolance

Older versions of this malware had ability to change their look through using skinnable windows.

References

^ "Spyware Detail Nuclear RAT 1.0b1". Computer Associates. August 16, 2004. http://www.ca.com/securityadvisor/pest/pest.aspx?id=453078396. Retrieved 2009-03-01.

External links

~~Win32/Nuclear.AG~~, by PestPatrol (file not found - use ref)
Nuclear RAT All Versions, by MegaSecurity security database
Nuclear Winter Crew, Nuclear RAT creator's page

Nuclear RAT

References

See also

External links