Author Topic: An (new?) RAdmin Brute-force Zombie, and How To Remove It  (Read 2439 times)

0 Members and 1 Guest are viewing this topic.

zylor

  • Guest
An (new?) RAdmin Brute-force Zombie, and How To Remove It
« on: April 01, 2012, 09:56:08 PM »
Hello all,

I would like to report malware that neither AVG's Complete Scan nor avast!'s Scan on Boot detected.

Summary
The machine runs code that connects to other machines using RAdmin. It then runs as a zombie to brute-force access to other machines. It then sends the failed/successful username/password lists to a server.

Symptoms
    Computer runs slow
    Outgoing connection found on port 4899, like the following:
Quote
    Scanning summary: Date    Protocol    Port or Type/Code    Dst count
    2012-03-28 17:00:00    6 (TCP)    4899 (radmin-port)    142
    2012-03-28 17:05:00    6 (TCP)    4899 (radmin-port)    146
    2012-03-28 17:10:00    6 (TCP)    4899 (radmin-port)    148
    2012-03-28 17:15:00    6 (TCP)    4899 (radmin-port)    143

Removal Instructions
1) Determine the process that has outbound connections on Port 4899 using [TCPView] (for me it was msgsm.exe which was the fake name used for the program lamescan3.exe).
2) Find the location of the .exe file (for me it was C:\WINDOWS\system32\dllcache\).
3) Stop the process using Task Manager or other equivalent.
4) This malware also uses a service to start this executable on startup. Find the name of the service.
--1) Find the batch file that starts the service (mine was mshts.bat). Although tedious, one way to determine which file in this folder is the following:
----1) Find all files ending in .bat.
----2) Open each one in a text editor and search for curl or wget, programs used to upload and download information from the server.
--2) Search the batch file for a command like sc stop MsHosts, where MsHosts is the name of the malware service.
--3) Search the registry for the DisplayName of the service. Go to Start -> Run and type regedit. Then hit Ctrl-F and type the name of the malware service. In that folder will be a registry key called DisplayName. We'll use that value to find the service and disable it. For me, the DisplayName was Manager mapping IP addresses to hosts and the Description was written in quite poor English...
5) Go to Start -> Control Panels -> Administrative Tools -> Services and look for the DisplayName that you found in the registry. Right-click it, go to Properties, click Stop and change the Startup Type to Disabled.
6) In the registry (which you can open by clicking Start -> Run and type regedit), right-click on the malware service folder, note the name of the Path to executable (for me it was (C:\WINDOWS\system32\dllcache\mgm.exe), select Delete and select Yes.
7) Delete both executables (e.g. msgsm.exe and mgm.exe). Then search in the batch file for any associated files (e.g. ___.dll or ___.ger) and delete those as well. Finally, delete the batch file.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: An (new?) RAdmin Brute-force Zombie, and How To Remove It
« Reply #1 on: April 01, 2012, 10:19:24 PM »
Radmin is a legit programme www.Radmin.com
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37132
  • Not a avast user
Re: An (new?) RAdmin Brute-force Zombie, and How To Remove It
« Reply #2 on: April 01, 2012, 10:50:10 PM »
Quote
I would like to report malware that neither AVG's Complete Scan nor avast!'s Scan on Boot detected.
does this mean you have avast and AVG installed ?



if you download from the link Left123 gave....the zip file contain two exe

one is detected as riskware / PUP.... meaning a program that can be used for good or bad if abused

https://www.virustotal.com/file/993ba1b2ea0dad0854e5e64850f94fc09d9157a4a191234842cf0caf861c139f/analysis/1333313709/
https://www.virustotal.com/file/affb2db9f43c576328239db1249b9d67d7d886b0177f3a49703e7578344178a6/analysis/1333313706/


« Last Edit: April 01, 2012, 11:04:35 PM by Pondus »