RE: looking for help

["Gilmore, Corey (DPC)" <Corey_Gilmore () dpc senate gov>]

> -----Original Message-----
> From: tina helbig [mailto:t.helbig () ecu edu au] 
> Sent: Wednesday, November 05, 2003 1:54 AM
> To: incidents () securityfocus com
> Subject: Re: looking for help
<snip>
> r_server.exe possibly a RAT (Remote Administration Trojan).  
> As Symantec AntiVirus  did not find any viruses on the 
> system, I can only assume that it was an installed RAT as 
> apposed to a RAT dropped by a virus.  The installation batch 
> file for this process is named lolipop.bat which carries out 
> a silent install.  On my initial investigation the r_server 
> process was not running and did not show up in the open ports 
> listing.  After a reboot however it appeared as a running 
> process listening on TCP port 8150.  There were numerous 
> references to it in the registry.
</snip>

r_server.exe is from Famatech's Remote Administrator package, and not a
trojan, but it is something I've regularly found on compromised
machines, along with Serv-U.  Also check for components from Dameware
Remote control (dwrcc.exe, dwrcins.exe, dwrcs.exe, dwrccmd.exe).



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------