RAHack: RasbaVirus - Radmin software is the problem

I fond this article: http://www.esecurityplanet.com/alerts/article.php/3453081:

W32/RAHack is a virus that attempts to exploit Radmin software. Radmin is a remote administrator software provided by Famatech. The software uses port 4899 by default. The virus scans random IP addresses for port 4899, attempts to exploit the software.

When run, the virus copies itself to Windows system directory (%SysDir%) as:

mscolsrv.exe (69,565)
svchsot.exe (69,565)

It drops the following files to the Windows system directory:

server.dll (78,781)
syshid.exe (5,120)

The following registry keys are created in order to load the virus at Windows start up:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sysser" = "%SysDir%\svchsot.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSCoolServ "ImagePath" = "%SysDir%\mscolsrv.exe -service" HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = syshid.exe "%1" %*"

The virus scans for .htm files on the local machine. For every .htm file found, the virus copies itself to the directory using the same file name. It overwrites the .htm file with a line of code, that runs the virus when the .htm file is run

 

Technically, that sounds like a "RAT" or backdoor trojan. Thanks for the heads-up.