Nuclear RAT is a backdoor trojan horse

Trojan horse (computing)

A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...

 that infects Windows NT family systems (Windows 2000, XP, 2003). It uses a server creator, a client and a server to take control over a remote computer. It uses process hijacking to fool the firewall, and allows the server component to hijack processes and gain rights for accessing the internet.

The server component (217,600 bytes) is dropped under Windows, System32, or Program Files folders, under a custom named folder; the default is NR. Once the server component is run, it tries to connect to its client, that listens for incoming connections on a configurable port, to allow the attacker to execute arbitrary code from his or her computer.

The server editor component has the following capabilities:

• Create the server component
• Change the server component's port
  TCP and UDP port
  In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
  
   number and/or IP address
  IP address
  An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
  
   / DNS
  Domain name system
  The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
  
  , connection retry interval, direct or reverse connection mode.
• Change the server component's executable name, installation folder, target process hijacking
• Change the name of the Windows registry
  Windows registry
  The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
  
   startup entry
• Change the PHP notify location
• Include any plugins to be executed once ran
• Include a fake error message that will be showed upon execution

The client component has the following capabilities:

• Take screenshots
• View webcam shots
• Capturing key strokes from the keyboard (keystroke logging
  Keystroke logging
  Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
  
  )
• General information about computer (Username, Timezone, Version installed, Language, Available drives, etc)
• Mouse control
• Remote BAT/VBS script execution
• Monitor resolution
• SOCKS 5
• HTTP Webserver
• Shell console
• File Manager (Download files and folders, Delete, Upload, Execute, Rename, Copy, Set Attributes, Create Folder, etc)
• Window Manager (Hide, show, close, minimize/maximize, disable/enable X, rename caption, send keys, etc)
• Process Manager (kill, unload DLL, list DLLs)
• Registry Manager (Create key, edit values REG_DWORD, REG_BINARY, REG_MULTI_SZ, REG_SZ, create values, rename values)
• Clipboard manager
• Plugins manager (to add extra funcionality to the malware)
• Shutdown computer
• Message Box
• Chat with infected machine
• Web downloader
• IP Scanner
• Port redirect
• TCP tunnel
• Cam caplute
• See Eden/Jimbolance

Older versions of this malware

Malware

Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...

had ability to change their look through using skinnable windows.

External links

• Win32/Nuclear.AG, by PestPatrol (file not found - use ref)
• Nuclear RAT All Versions, by MegaSecurity security database
• Nuclear Winter Crew, Nuclear RAT creator's page