ThreatExpert Report: Remacc.Radmin, not-a-virus:RemoteAdmin.Win32.RAdmin.20..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 September 2012, 14:39:16
Processing time: 8 min 16 sec
Submitted sample:

File MD5: 0x4FC34AA688701E0149F318316F984E81
File SHA-1: 0xB856D748BDAD319F0AF37E700BDED67DCA659970
Filesize: 1,863,767 bytes
Alias:

Remacc.Radmin [Symantec]
not-a-virus:RemoteAdmin.Win32.RAdmin.20, not-a-virus:RemoteAdmin.Win32.RAdmin.fz, not-a-virus:RemoteAdmin.Win32.RAdmin.22 [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Radmin!ct	Backdoor.Radmin!ct is a malicious application that runs in the background and allows remote access to your system, giving the attacker full control of your system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\ginstall.dll	55,296 bytes	MD5: 0x38A9142BA7B74DB9A68B3691C970BD89 SHA-1: 0x701FC2C3BF6F63B7CA7547F3A2DC1F8F154BE16F	(not available)
2	%ProgramFiles%\Radmin\help.cnt	2,240 bytes	MD5: 0xE3A329724E8C9E9CD02B4BC9A8680D16 SHA-1: 0x88B5F8B590CE74D017DB112BCB978DB4EF87525D	(not available)
3	%ProgramFiles%\Radmin\help.hlp	172,883 bytes	MD5: 0xB631650DE71D7195A8004E765B113D97 SHA-1: 0x301BB9A494283716BC03E3162829D984720D11CD	(not available)
4	%ProgramFiles%\Radmin\license.txt	38,460 bytes	MD5: 0x735D5B5569F463EAAACFA260C7061224 SHA-1: 0xA5C8EC2268DE25ED67723E8B9C5AFAFB60A5A6D8	(not available)
5	%ProgramFiles%\Radmin\raddrv.dll	29,600 bytes	MD5: 0x53843458086B37D4E72256A935AD57FD SHA-1: 0x2C32467A5450BC46737F00C15FD8BC46C5BD8AAE	Remacc.Radmin [Symantec] not-a-virus:RemoteAdmin.Win32.RAdmin.20 [Kaspersky Lab] RemAdm-RemoteAdmin [McAfee]
6	%ProgramFiles%\Radmin\radmin.exe	1,101,824 bytes	MD5: 0x7A4989E132089B95AEACF28C6E69B54D SHA-1: 0x5DC290000B5CF767BA65BA64DB3EB9C6959E59A8	Remacc.Radmin [Symantec] not-a-virus:RemoteAdmin.Win32.RAdmin.fz [Kaspersky Lab] RemAdm-RemoteAdmin [McAfee] packed with RadPack [Kaspersky Lab]
7	%ProgramFiles%\Radmin\README.TXT	10,802 bytes	MD5: 0xC4C23095FB46764D050AFE251D045F17 SHA-1: 0xFCF8C6FF1BC5089DD544BEA74EF75448D0FF5DD6	(not available)
8	%ProgramFiles%\Radmin\r_server.exe	708,608 bytes	MD5: 0x7A67446B8C0D917D540AF1088B3C8C17 SHA-1: 0xECC46682BA236D234BFCB28EF3813308BF79B158	Remacc.Radmin [Symantec] not-a-virus:RemoteAdmin.Win32.RAdmin.22 [Kaspersky Lab] RemAdm-RemoteAdmin [McAfee] RemoteAccess:Win32/RServer [Microsoft] packed with RadPack [Kaspersky Lab]
9	[file and pathname of the sample #1]	1,863,767 bytes	MD5: 0x4FC34AA688701E0149F318316F984E81 SHA-1: 0xB856D748BDAD319F0AF37E700BDED67DCA659970	Remacc.Radmin [Symantec] not-a-virus:RemoteAdmin.Win32.RAdmin.22 [Kaspersky Lab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\Radmin

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
r_server.exe	%ProgramFiles%\Radmin\r_server.exe	708,608 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	32,768 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
radmin.exe	%ProgramFiles%\radmin\radmin.exe	1,683,456 bytes
r_server.exe	%ProgramFiles%\radmin\r_server.exe	1,314,816 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

.NET CLR Data_Perf_Library_Lock_PID_5f0
.NET CLR Networking_Perf_Library_Lock_PID_5f0
.NET Data Provider for Oracle_Perf_Library_Lock_PID_5f0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_5f0
.NETFramework_Perf_Library_Lock_PID_5f0
ASP.NET_Perf_Library_Lock_PID_5f0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_5f0
aspnet_state_Perf_Library_Lock_PID_5f0
ContentFilter_Perf_Library_Lock_PID_5f0
ContentIndex_Perf_Library_Lock_PID_5f0
ISAPISearch_Perf_Library_Lock_PID_5f0
PerfDisk_Perf_Library_Lock_PID_5f0
PerfNet_Perf_Library_Lock_PID_5f0
PerfOS_Perf_Library_Lock_PID_5f0
PerfProc_Perf_Library_Lock_PID_5f0
PSched_Perf_Library_Lock_PID_5f0
RemoteAccess_Perf_Library_Lock_PID_5f0
RSVP_Perf_Library_Lock_PID_5f0
Spooler_Perf_Library_Lock_PID_5f0
TapiSrv_Perf_Library_Lock_PID_5f0
Tcpip_Perf_Library_Lock_PID_5f0
TermService_Perf_Library_Lock_PID_5f0
WmiApRpl_Perf_Library_Lock_PID_5f0

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.