lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C4149E1053D9664489531CBE2BD595800340EE68@a0001-xpo0117-s.hodc.ad.allstate.com>
From: jpeaa at allstate.com (Peadro, Jeff (AIS))
Subject: Norton AntiVirus 2005 treats Radmin as a Virus ??!

Correct.  RA was used in the JPEG exploit from easynews.

quoted from GDI spoit itself

"
UPDATE: We have packet logs at http://easynews.com/virus/  THIS VIRUS IS NASTY!

If you don't know what a jpeg virus is, check out:
http://news.google.com/news?q=jpeg+virus

Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com..  It paged
my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
the second hit.

Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
almost 2megs of stuff.  It installs a trojan that installs itself as a service.

It also installs radmin (radmin.com) running as 'r_server'.  From the radmin.com site, "With Radmin you
can work on a remote computer exactly as if you were right there at its keyboard."

It phones home to the same IP that is in the usenet post headers.  Then it seems
to connect to ftp://209.171.43.27/www/system/ u/p  bawz/pagdba  (last time I checked, 93 users where logged in!)
"

jEff

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Todd Towles
Sent: Tuesday, October 12, 2004 9:15 AM
To: Sowhat .; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a
Virus ??!


That is a widely used tool that is dropped by various malware programs. I think even one of the JPEG exploits was dropping radmin.exe

It be better to assume you have a infection and prove yourself wrong than the other way around. Look into it pretty deep, I would suggest. 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Sowhat .
> Sent: Tuesday, October 12, 2004 7:51 AM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Norton AntiVirus 2005 treats 
> Radmin as a Virus ??!
> 
> hi ?list
> 
> I have installed Norton AntiVirus 2005 ,and when i open my 
> F:\ directory ,Norton pops up and show that,"Norton AntiVirus 
> has detected a virus on your computer" "Boject Name 
> F:\radmin.exe" "Virus Name Hacktool".
> 
> Is RemoteAdministrator a commercial remote control software 
> or a Hacktool ?
> 
> the following information is copied from the Radmin's site:
> (http://www.radmin.com/)
> 
> "This fast, reliable, easy-to-use pc remote control software 
> saves you hours of running up and down stairs between 
> computers. Radmin allows you to take control of another PC on 
> a LAN, WAN or dial-up connection so you see the remote 
> computer's screen on your monitor and all your mouse 
> movements and keystrokes are directly transferred to the 
> remote machine. Radmin provides fast secure access to remote 
> PC's on Windows platforms.  "
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ