File Analysis
=============

Copyright (C) 1999, Diamond Computer Systems Pty. Ltd.
http://www.diamondcs.com.au

12-6-1999

NAME: Drat
TYPE: Remote Access Trojan
SIZE: 75,264 bytes
PORT: TCP 48 <primary>		- port number is fixed.
      TCP 50 <file transfer>	- port number is fixed.

RAT.Drat is a telnet-based trojan that uses stealth code from Back Orifice 2000 to
inject itself into the threads of live processes by changing the export locations in 
the operating systems global ATI table.

It's execution is silent, during which time it copies itself to Windows\SHELL32.EXE, and
modifies the two following registry entries:
	HKEY_CLASSES_ROOT  exefile\shell\open\command\(Default)
	HKEY_CLASSES_ROOT  batfile\shell\open\command\(Default)
The value of these two keys normally defaults to "%1" %*
Drat changes these values to SHELL32 "%1" %*
What this means is that everytime a .exe or .bat file is executed, Windows executes the 
file through SHELL32.EXE, causing the trojan to load each time. 

Disinfection is standard as per almost all trojans - simply kill the process from
memory, and delete it's parent .exe file. However, now comes the unusual twist in
this RAT. We won't be able to execute any .exe or .com files at this stage. No matter 
how we try to execute them, Windows will keep asking you to locate SHELL32.EXE, as this  
file no longer exists. This is fixed by changing the two registry values back to "%1" %*

If we can't run any .exe or .bat files, how can we run regedit.exe?
The trojan fails to take out comfile\shell\open\command\(Default), which means that
although you won't be able to run regedit.exe from Windows, you'll be able to shell to 
your DOS prompt (command.com) and run it from there. (DOS doesn't use registry keys 
when executing files).

The stealth component of this trojan is also it's main weakpoint. The trojan copies
itself to Windows\SHELL32.EXE from it's memory image - this "image" being the uncompressed, 
unencrypted version. This means that no matter what compression or encryption 
algorithms are used on the original .exe, Drat will always save it's unpacked 
version to Windows\SHELL32.EXE (75,264 bytes).


Encryption Scheme
=================

Drat communications are unencrypted and in plaintext, allowing a hacker to use telnet to
connect and control the server. However, Drat has built-in LZH compression, and a simple 
encryption scheme.

The encryption works 2 bytes at a time. The first byte has 2 added to it's ASCII value. The second 
byte has 3 subtracted from it's ASCII value. These two new bytes are then saved, and the next two 
in the string are taken.

Three strings inside the unpacked executable are encrypted.
These strings are:

BYTE POSITION
56352  	Encrypted	hqr+zlqj0`qj		
	Decrypted       ftp.xoom.com

56368	Encrypted	Vbh\qfn\R^v
	Decrypted       Tef_oil_Pat

56416	Encrypted	Ulhqy^tb^Jk`tlulhq^Tkkflyp^@wotbpqXbtpklpYKkvbtkgq"Pgqvfpdu.....Gkc_nbCrvlffci
	Decrypted	Software\Microsoft\Windows\CurrentVersion\Internet Settings1,1,1EnableAutodial


Drat allows the hacker to enter their own UIN number into the executable, so that when an infected machine 
connects to the internet, it will notify the hacker that they are online. The server can also be password-
locked, and these two values are both encrypted using the same encryption scheme.

The UIN is a 9-byte string, and starts at byte 56402.
The password is a 16-byte string, and starts at byte 64641.
Both values are terminated with null characters (ASCII 0).


Disinfection
============

Method 1
========
	Using telnet, connect to port 48 on your system, log-in with the password if it exists, and then
	send the command "erad". Erad is Drat's built-in self-destruct code, which will remove the server 
	completely. 


Method 2
========
(Must be done in order)
	Start regedit.exe (and then minimise it)
	Ctrl-Alt-Del - kill the infected process
	Delete SHELL32.EXE from your Windows directory
	Using regedit, change the following two keys
		HKEY_CLASSES_ROOT  exefile\shell\open\command\(Default)   New value="%1" %*
		HKEY_CLASSES_ROOT  batfile\shell\open\command\(Default)   New value="%1" %*
	
IF YOU MAKE A MISTAKE AND CAN'T RUN ANY .EXE FILES
Shell to DOS Prompt (it's a .com file!)
Start regedit.exe from there


