HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETSVC\ When this remote access package is installed, numerous registry keys are created related to the operation of the remote administration package. The command script "kcah.cmd" contains instructions to terminate services and programs possibly running on the target system based on this list of names. The script "kcah.cmd" contains the instructions to copy the virus to the share ADMIN$\SYSTEM32 as RAR.EXE. The script "star.cmd" also contains the IP network scanning instructions used by the virus to locate targets, and it calls the command script "kcah.cmd". The installer "run.bat" then runs the command script "star.cmd", which inserts a majority of the registry modifications. The purpose of "rs.cmd" is to run the main installation of Remote Admin 2.0 with the configuration option of TCP port 5555 and to disable the system tray icon. When this script is initiated remotely, it will open shares on IPC$, Admin$ and C:\, and initiate the command script "rs.cmd". The package of files used resembles the threat BAT/Mumu, with the use of Batch scripting installer files. Remote Admin is not malicious by itself however, the spreading of this worm occurs without target permission or acknowledgement, and runs in a stealth method. This threat is a self-propagating Internet worm containing a remote administration package known as Remote Admin 2.0.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |