Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Norton AntiVirus 2005 treats Radmin as a Virus ??!
From: "Peadro, Jeff \(AIS\)" <jpeaa () allstate com>
Date: Tue, 12 Oct 2004 11:03:46 -0500

Correct.  RA was used in the JPEG exploit from easynews.

quoted from GDI spoit itself

"
UPDATE: We have packet logs at http://easynews.com/virus/  THIS VIRUS IS NASTY!

If you don't know what a jpeg virus is, check out:
http://news.google.com/news?q=jpeg+virus

Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com..  It paged
my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
the second hit.

Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
almost 2megs of stuff.  It installs a trojan that installs itself as a service.

It also installs radmin (radmin.com) running as 'r_server'.  From the radmin.com site, "With Radmin you
can work on a remote computer exactly as if you were right there at its keyboard."

It phones home to the same IP that is in the usenet post headers.  Then it seems
to connect to ftp://209.171.43.27/www/system/ u/p  bawz/pagdba  (last time I checked, 93 users where logged in!)
"

jEff

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Todd Towles
Sent: Tuesday, October 12, 2004 9:15 AM
To: Sowhat .; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Norton AntiVirus 2005 treats Radmin as a
Virus ??!


That is a widely used tool that is dropped by various malware programs. I think even one of the JPEG exploits was 
dropping radmin.exe

It be better to assume you have a infection and prove yourself wrong than the other way around. Look into it pretty 
deep, I would suggest. 

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Sowhat .
Sent: Tuesday, October 12, 2004 7:51 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Norton AntiVirus 2005 treats 
Radmin as a Virus ??!

hi ´╝îlist

I have installed Norton AntiVirus 2005 ,and when i open my 
F:\ directory ,Norton pops up and show that,"Norton AntiVirus 
has detected a virus on your computer" "Boject Name 
F:\radmin.exe" "Virus Name Hacktool".

Is RemoteAdministrator a commercial remote control software 
or a Hacktool ?

the following information is copied from the Radmin's site:
(http://www.radmin.com/)

"This fast, reliable, easy-to-use pc remote control software 
saves you hours of running up and down stairs between 
computers. Radmin allows you to take control of another PC on 
a LAN, WAN or dial-up connection so you see the remote 
computer's screen on your monitor and all your mouse 
movements and keystrokes are directly transferred to the 
remote machine. Radmin provides fast secure access to remote 
PC's on Windows platforms.  "

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]