Please help: who is this RAT ?

TDS3 tells me I'm infected with a RAT.Haxdoor trojan (file trace in C:\WINNT\System32\w32tm.exe).I've sent the file to DiamondCS but apparently my mail client is knocked out. I've told TDS to delete the file - it seems unable to do so.
I have also googled for this RAT.Haxdoor - unknown.Please advise.

 

RAT = Remote Admnistration Tool.
Haxdoor is pretty famous.
try googling "haxdoor removal"

 

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.html

 

Hi, I'm a bit late in answering because I perused the Symantec instructions for removal and then went to the registry to delete all the registry entries added by the RAT.
Well, there weren't any : I think that ProcessGuard must have closed the door. Very interesting!
Thank you very much for your help no13 !

 

I suggest you have a look here: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.d.html

That's in fact your particular 'guest'...

 

I have the exact same problem. Checked and I also found no reg. entries - but I get the same warning every time I scan:

File Trace: Default trojan filename: RAT.Haxdoor
File: C:\WINNT\System32\w32tm.exe

when I tell TD3 to delete the file, it lists it as deleted, but it shows up again as soon as I scan .... Is it still there? Is it still a problem?

 

It would be best to post in one of the forums still offering spyware/malware removal services. Here are a few good ones:

CastleCops: http://castlecops.com/forums.html
Spyware Warrior Forums: http://www.spywarewarrior.com/index.php
SpywareInfo: http://www.spywareinfoforum.com/

 

Thanks Tony. I didn't know this forum had stopped offering those services. I'll check out the links you posted.

 

You're welcome. Do check out that Symantec link I posted though; it may help.

 

same problem with w32tm.exe , no reg entries , also scanned with Pest Patrol which is supposed to find and delete Rat.Haxdoor , it didn't find anything , tried a couple of online scans again nothing . Could this be a false positive .

 

I am also wondering if this Rat is a false alarm. I just updated the radius TD-3 and then found it on two PC. None of the other AV or AT programs picks up anything and while I can find the files on my PCs, the last modification date according to explorer was 23/8/01 and 21/9/03 respectively.
One PC is running XP, hardware and software firewall, NOD32 and as I am testing AT programs it's also running Ewido and Spywaresweeper. Apart from TDS-3 none of the other program has given me any alert. I even downloaded Trojanhunter to check and nothing is shown.

The other PC is W2000 with NAV. According to the earlier link, Symantec detects this trojan and can remove it. However when I run a scan with the latest updates, NAV does not show any RAT or Backdoor...

I am a bit frustrated as I feel running all these programs does not make me feel more secure just more paranoid

 

Hi,

Just only to make sure: are you running TDS-3 as admin?
Please have a look at this thread from Gavin:
https://www.wilderssecurity.com/showthread.php?t=29034

I don't know whether this is the culprit in this case, but it could be....

 

hi


guys the haxdoor drops several files when installed, exe's, dll's, and sys files

the other components reload the exes

scan with tds in safe mode, do all possible scans in tds's menu


set the heuristic sensitivity to max before scanning

and before deleting anything post the scandump.txt for us to see...then delete everything with positive identification

 

@Fanj - thanks for that link. While it sounded promising ( as the alert is trace related), it does not help me (or I don't know how to do it properly).
When doing it on PC 1, my normal account has admin privileges and if trying to use the other option by typing in administrator I get the following error message: "the service cannot be started, either because it is enabled or because it has no devices associated with".
On the other PC (W2000) there is no run as option when rightclicking TDS-3.

@Illuka, I have run the scan several times but it only shows up one file trace.

 

Have you tried to scan that file at :

KAV online scanner:
http://www.kaspersky.com/remoteviruschk.html

Jotti online scanner:
http://virusscan.jotti.org/

What do those scans say?
Please let us know; thanks !

 

Thanks for the great link - I ran both scans and nothing showed up at Kapersky or Jotti.
Feeling a bit more relaxed now though these two scans of course do not necessarily proof anything. Would a trojan even show up there as these are virus scans?

 

Hi Beethoven,

Thanks for letting us know

As for KAV: usually you would say, yes indeed it would tell you so.
There is of course always a chance that something is not yet in the defs of a scanner.

I had a liitle bit the feeling that, when I saw several people posting here in this thread about the same warning on the same file, there could be a false positive from TDS-3 (that can happen to all scanners).
Maybe others with that same warning, could also post the results on those online scanners.

I really don't know whether it is indeed a false positive or not
I guess we have to wait for Gavin to have a closer look at it.
But since it is Australian Day, a public holiday in Australia, we might have to wait until tomorrow.

As for your question about running TDS-3 as admin:
all I can do, is point to that thread from Gavin; I myself have only W98SE, so it would make no sense when I would try to tell more about it.
I hope others can help you here.


EDIT :
I want to make clear that I wrote:
I really don't know whether it is indeed a false positive or not.

 

you should boot from the windows boot CD, use the repair console and delete the dropper file, maybe the w32tm.exe file or other infected files. Note: It is possible that many AT/AV scanners cannot remove the trojan files of the haxdoor family, also not in the safe mode.

 

Today TDS-3 found this "Trojan" on my machine, too.
I think it is a false alarm because no TCP-Port 7080,8008 or 16601 is open and no flie c3.sys, boot32.sys, smtapi.sys etc. can be found.
BTW I am waiting for the signatures from today.

WTM32.EXE
SIZE: 61,440 bytes
CREATED: 15 April 2004
VERSION: 5.0.2195.6824

I started the program, the cmd-box will open, but nothing happens any more.
After starting also no infection found

 

TDS-3 found this one in my PC too, but only in WINNT/System32 and it turned out to be a normal Windows fiile. I scanned with Norton AV with today's definition files, nothing was found. Then I scanned with Trend Micro, same result. I think that TDS-3 simply reacted to the file name and gave a warning "default trojan filename". I tried to submit the file, but could not understand the procedure. Some of TDS's instructions are cryptic. I hope that this is cleared up in the next definition update

 

I vote for a false positive on W32tm.exe as the reason.

 

After I first posted that this might be a false positive I spent the rest of the day scanning with everything you can imagine the out come still nothing . Like Beethoven & Dieter I checked the dates on the rogue files and they are 2001 & 2004 . Also as Dieter mentions none of the suspect ports are open . I did send an email to the TDS guys and waited all day for some kind of answer - Australia Day holiday of course no one at work , silly me I am an Australian and didn't realize . So now as well as being paranod I'm apparently unpatriotic , boy you can get lost on a wild goose chase . Got so caught up even missed the cricket _ now that is serious . My money is still on a false positive .

 

Just did a MD5 check on w32tm.exe and compared it with the same on a machine saying its clean , both numbers the same .

 

Just got my response from TDS - it's a false alarm and will be removed soon
Thanks everybody for their support and thanks to TDS for getting back so quickly

 

just recieved an email from TDS ;

False alarm, this file exists if you have the Windows Time service enabled
Removing the detection today

well that was enough excitment for a few days hey folks