RAHack: RasbaVirus - Radmin software is the problem

Discussion in 'malware problems & news' started by aniemotion, Jan 31, 2005.

Thread Status:
Not open for further replies.
  1. aniemotion

    aniemotion Registered Member

    Jan 31, 2005
    I fond this article: http://www.esecurityplanet.com/alerts/article.php/3453081:

    W32/RAHack is a virus that attempts to exploit Radmin software. Radmin is a remote administrator software provided by Famatech. The software uses port 4899 by default. The virus scans random IP addresses for port 4899, attempts to exploit the software.

    When run, the virus copies itself to Windows system directory (%SysDir%) as:

    mscolsrv.exe (69,565)
    svchsot.exe (69,565)

    It drops the following files to the Windows system directory:

    server.dll (78,781)
    syshid.exe (5,120)

    The following registry keys are created in order to load the virus at Windows start up:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sysser" = "%SysDir%\svchsot.exe"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSCoolServ "ImagePath" = "%SysDir%\mscolsrv.exe -service" HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = syshid.exe "%1" %*"

    The virus scans for .htm files on the local machine. For every .htm file found, the virus copies itself to the directory using the same file name. It overwrites the .htm file with a line of code, that runs the virus when the .htm file is run
  2. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Technically, that sounds like a "RAT" or backdoor trojan. Thanks for the heads-up. ;)
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.