Remacc.SAdoor

Printer Friendly Page

Updated: February 13, 2007 11:36:20 AM
Type: RemoteAccess
Version: 1.1
Publisher: n/a
Risk Impact: High
File Names: Sadoor.exe
Systems Affected: Windows

Behavior


Remacc.SAdoor is a backdoor program that uses a covert communication channel. It monitors network traffic on the host system and carries out certain actions if it sees a certain packet.

Symptoms


Your Symantec antivirus program detects Remacc.SAdoor.

Transmission


Remacc.SAdoor is normally installed by an intruder as a backdoor to the compromised system. However it can also be used as an remote administration tool.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version December 29, 2003
  • Latest Daily Certified version January 26, 2015 revision 023
  • Initial Weekly Certified release date December 31, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:36:20 AM
Type: RemoteAccess
Version: 1.1
Publisher: n/a
Risk Impact: High
File Names: Sadoor.exe
Systems Affected: Windows


When Remacc.SAdoor is executed, it monitors network traffic on a selected network interface. When it sees a certain packet, it will perform one of the following actions:

    • Execute a shell command
    • Connect to a remote host through TCP
    • Listen on a TCP port for a remote client to connect

The command data that is sent after trigger packet is found is encrypted.

The packet that is used to trigger Remacc.SAdoor is configurable. It can be an IP, ICMP, UDP or TCP packet with certain characteristics. The characteristics that can be examined include:
    • The source and destination ports
    • The beginning of a payload
    • TCP flags
    • Sequence and acknowledge numbers
    • ICMP types
    • ICMP codes
    • ICMP echo identity numbers
    • IP TOS and TTL values


Updated: February 13, 2007 11:36:20 AM
Type: RemoteAccess
Version: 1.1
Publisher: n/a
Risk Impact: High
File Names: Sadoor.exe
Systems Affected: Windows


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Remacc.SAdoor.
For specific details on each of these steps, read the following instructions:


1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
    1. Start your Symantec antivirus program and run a full system scan..
    2. If any files are detected as Remacc.SAdoor, click Delete.


      Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.