Infection Channel: Downloaded from the Internet, Dropped by other malware
GHOSTRAT is a family of backdoors, or more accurately, remote administration tools (RATs), used to gain control of the computer it infects. It is affiliated with GhostNet bot network.
It steals information by logging keystrokes. The information it steals are usually system-related information such as operating system version and processor speed. All data are then communicated back to C&C servers operated by GhostNet.
Memory Resident: Yes
Payload: Connects to URLs/IPs, Steals information
This backdoor drops the following file(s)/component(s):
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
%System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Ball.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It creates the following folders:
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
This backdoor adds the following registry entries to enable its automatic execution at every system startup: