What is Ghostnet and how it works.?

On 29th march cyberespionage investigation has found that 1,295 computers in 103 countries and belonging to international institutions have been spied on by some spyware program.

Report describes it as network which researchers have called GhostNet, which primarily uses a malicious software program called gh0st RAT (Remote Access Tool) to steal sensitive documents and control system remotely.

The system disseminates malware to selected recipients via computer code attached to stolen emails and addresses, thereby expanding the network by allowing more computers to be infected. Once infected, a computer can be controlled or inspected by its hackers. The malware even has the ability to turn on the camera and audio-recording functions of an infected computer.

How It works.?

Ghostnet spyware has used technology called RAT - Remote admininstration Tool (RAT).
It is a software application which provides an attacker with the
capability to control your computer system remotely whenever you are online. The attacker can perform operation such as programs and/or files adding/deleting, ,file tansfers, capturing screenshot, etc.Attacker may use captured computer for different personal needs such as to send malicious attacks.

RAT Trojan Horses

Many trojans and backdoors now have remote administration capabilities allowing an individual to control the victim's computer. Many times a file called the server must be opened on the victim's computer before the trojan can have access to it. These are generally sent through email, P2P file sharing software, and in internet downloads. They are usually disguised as a legitimate program or file. Many server files will display a fake error message when opened, to make it seem like it didn't open. Some will also kill antivirus and firewall software. RAT trojans can generally do the following:
• Download, upload, delete, and rename files
• Format drives
• Open CD-ROM tray
• Drop viruses and worms
• Log keystrokes, keystroke capture software
• Hack passwords, credit card numbers
• Hijack homepage
• View screen


The Trojan horse in the context of computing and software, describes a class of computer threats (malware) that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the host machine, giving them the ability to save their files on the user's computer or even watch the user's screen and control the computer


A Trojan Horse Virus is also usually capable of stealing important information from the user's computer. It will then send this information to Internet servers designated by the developer of the virus. The developer will then be able to gain a level of control over the computer through this Trojan virus. While these things take place, the user will notice that the infected computer has become very slow or unexpected windows pop up without any activity from the user.

How to remove Trojan from system:

In order for the trojan to be completely removed from your system, you need to remove its registry entries. This way it will not be able to re-install itself. The Trojan is a "exe" process so you can find int the RUN folder of your registry.

The registry key: HKEY_LOCAL_MACHINE> SOFTWARE>Microsoft>Windows>CurrentVersion>RUN

This action will help you eliminate and chance of it reinstalling itself. Here is how:

1. Click Start

2. Click Run

3. Type regedit

4. Find this registry key:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RUN/

5. In the right section click the process. For example is the trojan is "rusvdgpo". Delete all exe and dlls associated with the trojan names .

6. Delete the value.

This is how you can remove trojan from your computer

For more information about Ghostnet and removal process please follow the link of Symantec site

Symantec.com