Home Malware Programs Worms W32.Shadesrat.B

W32.Shadesrat.B

Posted: March 30, 2012

Threat Metric

Ranking: 5,433
Threat Level: 2/10
Infected PCs: 170,430
First Seen: March 30, 2012
Last Seen: October 13, 2023
OS(es) Affected: Windows

W32.Shadesrat.B is a malicious worm that proliferates through removable drives. W32.Shadesrat.B also opens a back door on the affected computer by connecting to the specific websites. When executed, W32.Shadesrat.B replicates itself by creating the certain files. W32.Shadesrat.B then creates the certain registry entries so that it can initiate automatically every time you turn your computer on. W32.Shadesrat.B then creates the certain registry entries to evade the Windows firewall. W32.Shadesrat.B waits for instructional commands that enable a hacker to execute numerous malicious actions on the compromised PC that include injecting itself into other running executable files, hijacking the audio or video on the targeted computer, recording all keystrokes, performing distributed denial of service (DDOS) attacks through UDP flooding, sniffing network traffic, uploading or downloading files through HTTP and FTP and running as a proxy, redirecting an attackers traffic. Delete W32.Shadesrat.B as soon as possible to keep your PC safe and clean.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%System%\winlogin.exe File name: %System%\winlogin.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\data.dat File name: %UserProfile%\Application Data\data.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file
%UserProfile%\Application Data\EZSpammer.exe File name: %UserProfile%\Application Data\EZSpammer.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%DriveLetter%\autorun.inf File name: %DriveLetter%\autorun.inf
Mime Type: unknown/inf
Group: Malware file
%DriveLetter%\[ORIGINAL FILE NAME].exe File name: %DriveLetter%\[ORIGINAL FILE NAME].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\"winlogin" = "%UserProfile%\Application Data\EZSpammer.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AB68ADAA-71EF-4CDD-BFFF-CEC31F5A92EB}\"StubPath" = "%UserProfile%\Application Data\EZSpammer.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winlogin" = "%UserProfile%\Application Data\EZSpammer.exe"HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{AB68ADAA-71EF-4CDD-BFFF-CEC31F5A92EB}\"StubPath" = "%UserProfile%\Application Data\EZSpammer.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"winlogin" = "%UserProfile%\Application Data\EZSpammer.exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%UserProfile%\Application Data\EZSpammer.exe" = "%UserProfile%\Application Data\EZSpammer.exe:*:Enabled:Windows MessanHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%CurrentFolder%\[ORIGINAL FILE NAME].exe" = "%CurrentFolder%\[ORIGINAL FILE NAME].exe:*:Enabled:Windows Messanger" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0" HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\"|Ae*}jFVWT" = "Blackshades"

Additional Information

The following URL's were detected:
download-step1.com
Loading...