RAHack: RasbaVirus - Radmin software is the problem

Discussion in 'malware problems & news' started by aniemotion, Jan 31, 2005.

Thread Status:
Not open for further replies.
  1. aniemotion

    aniemotion Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    2
    I fond this article: http://www.esecurityplanet.com/alerts/article.php/3453081:

    W32/RAHack is a virus that attempts to exploit Radmin software. Radmin is a remote administrator software provided by Famatech. The software uses port 4899 by default. The virus scans random IP addresses for port 4899, attempts to exploit the software.

    When run, the virus copies itself to Windows system directory (%SysDir%) as:

    mscolsrv.exe (69,565)
    svchsot.exe (69,565)

    It drops the following files to the Windows system directory:

    server.dll (78,781)
    syshid.exe (5,120)

    The following registry keys are created in order to load the virus at Windows start up:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sysser" = "%SysDir%\svchsot.exe"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSCoolServ "ImagePath" = "%SysDir%\mscolsrv.exe -service" HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = syshid.exe "%1" %*"

    The virus scans for .htm files on the local machine. For every .htm file found, the virus copies itself to the directory using the same file name. It overwrites the .htm file with a line of code, that runs the virus when the .htm file is run
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Technically, that sounds like a "RAT" or backdoor trojan. Thanks for the heads-up. ;)
     
Loading...
Thread Status:
Not open for further replies.