Remacc.Radmin

Printer Friendly Page

Updated: February 13, 2007 11:34:57 AM
Type: RemoteAccess
Version: n/a
Publisher: Famatech LLC.
Risk Impact: Low
File Names: Radmin.exe R_server.exe raddrv.dll ginstall.dll
Systems Affected: Windows

Behavior


Remacc.Radmin is a component of the remote control software, Remote Administrator.

Remote Administrator is a legitimate remote administration software. However, some of its components can be used for malicious purposes, as it allows a remote attacker to control a user's computer.

Symptoms


The files are detected as Remacc.Radmin.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version November 07, 2017 revision 009
  • Initial Daily Certified version October 14, 2003 revision 003
  • Latest Daily Certified version November 07, 2017 revision 024
  • Initial Weekly Certified release date October 15, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:34:57 AM
Type: RemoteAccess
Version: n/a
Publisher: Famatech LLC.
Risk Impact: Low
File Names: Radmin.exe R_server.exe raddrv.dll ginstall.dll
Systems Affected: Windows


Remacc.Radmin is often installed from a legitimate package to a configurable location. By default, that location is C:\Program Files\radmin. However, its component can be placed on a computer without any installation procedure.

Upon execution, Remacc.Radmin can be configured to run in stealth mode, allowing the remote attacker to control the compromised computer. The ports used are configurable.

When Remacc.Radmin is installed, it does the following:

  1. Creates the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r_server

    so that a service is created.

  2. Creates a service with the following characteristics:

    Service Name: r_server
    Display Name: Remote Administrator Service

  3. Creates the following subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Administrator v2.2
    HKEY_LOCAL_MACHINE\System\RAdmin

  4. May modify the hosts file.


Updated: February 13, 2007 11:34:57 AM
Type: RemoteAccess
Version: n/a
Publisher: Famatech LLC.
Risk Impact: Low
File Names: Radmin.exe R_server.exe raddrv.dll ginstall.dll
Systems Affected: Windows


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

  1. Update the definitions.
  2. Remove all the entries that the risk added to the hosts file.
  3. Restart tne computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Remacc.Radmin.
  5. Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To remove all the entries that the risk added to the hosts file
  1. Navigate to the following location:

    • Windows 95/98/Me:
      %Windir%
    • Windows NT/2000/XP:
      %Windir%\System32\drivers\etc

      Notes:
    • The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Double-click the hosts file.
  3. If necessary, deselect the "Always use this program to open this program" check box.
  4. Scroll through the list of programs and double-click Notepad.
  5. When the file opens, delete all the entries added by the risk. (See the Technical Details section for a complete list of entries.)
  6. Close Notepad and save your changes when prompted.


3. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document: How to start the computer in Safe Mode .

4. Scanning for and deleting the files
Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files ."
Run a full system scan.
If any files are detected as Remacc.Radmin, click Delete.

5. To delete the value from the registry

Note: This procedure is optional. It is not likely that the keys, which currently known versions of this adware has added, will do any harm if they are not removed from the registry. Removal can be somewhat complex due to the randomly named files.

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry .

  1. Click Start, and then click Run.
  2. Type regedit

    Then click OK.
  3. Navigate to and delete the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Administrator v2.2
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r_server
    HKEY_LOCAL_MACHINE\System\RAdmin

  4. Exit the Registry Editor.