Security Basics mailing list archives

RE: Hacked


From: "Jason DeCamp" <jdecamp () vzmultimedia com>
Date: Thu, 14 Apr 2005 17:14:54 -0400

It's likely the remote admin tools were the payload of the virus. Perhaps
someone modified it to drop these files? Just a thought.

-----Original Message-----
From: Joshua Berry [mailto:jberry () PENSON COM] 
Sent: Thursday, April 14, 2005 2:29 PM
To: mfernandez () fdta-valles org; security-basics () securityfocus com
Subject: RE: Hacked

Radmin is not a virus, that is a remote control utility like VNC or
PCAnywhere (except it is free I believe).

-----Original Message-----
From: Mauricio Fernandez [mailto:mfernandez () fdta-valles org] 
Sent: Thursday, April 14, 2005 9:46 AM
To: security-basics () securityfocus com
Subject: Hacked

This morning I found a wwwhack window opened on one of my w2k servers,
antivirus agent was deleted (TrendMicro) and when I reinstall it back,
it
found about 4500 viruses named PE_PARITE.B

Now the virus is still regenerating itself creating files on winnt\temp
folder, I saw the task list and stopped all the suspicious process, but
the virus still goes on...

The virus/hacker created a folder named RADMIN, where he copied these
files:
r_server.exe
admdll.dll
hide.reg
raddrv.dll
pro.bat
start.bat

Does anyone knows how to remove this virus and avoid this hack
vulnerability?


Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia



---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------


Current thread: