Backdoor.Orcus

Short Bio

Backdoor.Orcus is a Remote Access Trojan (RAT)  that is being sold on underground forums.

Symptoms

Backdoor.Orcus often creates Scheduled Tasks to gain persistence. The Scheduled Tasks have names like Orcus Respawner.job or Orcus.job.

Type and source of infection

Backdoor.Orcus offers a lot of configurability options. Installing a keylogger is one of these options.

Protection

Malwarebytes protects users from Backdoor.Orcus by using real-time protection.

block Backdoor.Orcus

Malwarebytes blocks Backdoor.Orcus

Remediation

Malwarebytes can removes Backdoor.Orcus without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Users of affected computers should take precautions against the consequences of stolen information.

Traces/IOCs

Scheduled Tasks:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Orcus

%SYSDIR%\Tasks\Orcus

%WINDIR%\Tasks\Orcus.job

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Orcus Respawner

%SYSDIR%\Tasks\Orcus Respawner

%WINDIR%\Tasks\Orcus Respawner.job

Related blog content

Information stolen? What now?

Decoy Microsoft Word document delivers malware through a RAT

Select your language