Backdoor.Orcus

Short Bio

Backdoor.Orcus is a Remote Access Trojan (RAT)  that is being sold on underground forums.

Symptoms

Backdoor.Orcus often creates Scheduled Tasks to gain persistence. The Scheduled Tasks have names like Orcus Respawner.job or Orcus.job.

Type and source of infection

Backdoor.Orcus offers a lot of configurability options. Installing a keylogger is one of these options.

Protection

Malwarebytes protects users from Backdoor.Orcus by using real-time protection.

block Backdoor.Orcus

Malwarebytes blocks Backdoor.Orcus

Remediation

Malwarebytes can removes Backdoor.Orcus without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Users of affected computers should take precautions against the consequences of stolen information.

Traces/IOCs

Scheduled Tasks:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Orcus

%SYSDIR%\Tasks\Orcus

%WINDIR%\Tasks\Orcus.job

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Orcus Respawner

%SYSDIR%\Tasks\Orcus Respawner

%WINDIR%\Tasks\Orcus Respawner.job

Related blog content

Information stolen? What now?

Decoy Microsoft Word document delivers malware through a RAT

Select your language