||||
Symantec.com > Security Response > Threats and Risks > Remacc.Radmin
PRINT THIS PAGE

Remacc.Radmin

Printer Friendly Page

Updated: February 13, 2007 11:34:57 AM
Type: RemoteAccess
Publisher: Famatech LLC.
Risk Impact: Low
File Names: Radmin.exe R_server.exe raddrv.dll ginstall.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Remacc.Radmin is often installed from a legitimate package to a configurable location. By default, that location is C:\Program Files\radmin. However, its component can be placed on a computer without any installation procedure.

Upon execution, Remacc.Radmin can be configured to run in stealth mode, allowing the remote attacker to control the compromised computer. The ports used are configurable.

When Remacc.Radmin is installed, it does the following:
  1. Creates the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r_server

    so that a service is created.

  2. Creates a service with the following characteristics:

    Service Name: r_server
    Display Name: Remote Administrator Service

  3. Creates the following subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Administrator v2.2
    HKEY_LOCAL_MACHINE\System\RAdmin

  4. May modify the hosts file.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS