Bandook Rat (short for Bandook Remote Administration Tool) is a backdoor trojan horse that infect Windows NT family systems (Windows 2000, XP, 2003, Vista). It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / Kernel Patching to bypass the firewall, and allow the server component to hijack processes and gain rights for accessing the internet.

in another Term :

Bandook RAT is a secure remote control software or a Trojan that enables you to work on a remote computer as if you were sitting in front of it. This program is the ideal remote access solution. It's possible to access the remote computer from multiple places and view its Screen , Camera , Listen on its Microphone , retrieve Passwords from it and more .

The server component (28,200 bytes) is dropped under Windows, System32 or Program Files , Applications folders, the default name is ali.exe. Once the server component is run, it tries to connect to its client, that listen for incoming connections on a configurable port, to allow the attacker to execute arbitrary code from his computer.

The server editor component has the following capabilities:

Create the server component

Change the server component's port number and/or IP address / DNS, Persistence , Rootkit , SDT Restore and more

Change the server component's executable name, installation folder, target process hijacking

Change the name of the Windows registry startup entry or activex key

Enable Offline Keylogger , Offline Instant Messengers Spy

Features list of the Program

Firewall bypass method: FWB#++ (Code Injection , API Unhook , Kernel Patch)

reverse connection, all traffic through one port

Safe Thread Based Client

Persistance (Irremovable)

Rootkit

Plugins Based Server (30 KB Packed)

Very Friendly Graphical User Interface

Different Installation Pathes

PNG / JPEG Compressions for screencapture and webcam

Managing Features

Filemanager with all types of functions, including Folder Mirror , Rar Folder/Files , File Search , Infect Files , Multiple Files Download / Upload , Download / Upload manager

Registry Editor with all type of Functions

Process manager (Shows Full path , and Modules Manager)

Windows Manager (including a Send Key Function)

Services Manager

Connection Features

Socks 4 proxy

HTTP / HTTPS proxy

Port Redirection

TCP TUNNEL

HTTP WEB Server

FTP Server

Remote Shell

Flooding ( Mailbomb , DDOS attacks)

Spying Features

Screen manager with Screen Clicks

Cam manager that Supports system with Multiple Cams

Mic Manager (Record voice from Mic)

Ims Spy (MSN,YAHOO,AIM)

Keylogger ( live One )

Offline keylogger (Colored HTML) , Live Passwords , IMS Spy with Automatic Delivery to FTP

Cached PWS Fetcher [6 embended PWS Plugins]

VNC (Remote Desktop Live Control)

Site Detection : Check all ur vics and know which one visits a specific site

Clipboard manager

Information about the remote machine

Cache Reader

Screen Recorder ( Record the user activities on the Screen into AVI Movies)

Others

Shutdown Menu

Nuclear Fun Agent (Fun)

Download from WEB / Mass Download / Seclection Download

Visit Site

Older versions of this malware had ability to change their look through using skinnable windows.