Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Remacc.Radmin

Remacc.Radmin

Updated:
13 February 2007
Publisher:
Famatech LLC.
Risk Impact:
Low
File Names:
Radmin.exe R_server.exe raddrv.dll ginstall.dll
Systems Affected:
Windows

Behavior


Remacc.Radmin is a component of the remote control software, Remote Administrator.

Remote Administrator is a legitimate remote administration software. However, some of its components can be used for malicious purposes, as it allows a remote attacker to control a user's computer.

Symptoms


The files are detected as Remacc.Radmin.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 10 July 2019 revision 023
  • Initial Daily Certified version 14 October 2003 revision 003
  • Latest Daily Certified version 11 July 2019 revision 001
  • Initial Weekly Certified release date 15 October 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Remacc.Radmin is often installed from a legitimate package to a configurable location. By default, that location is C:\Program Files\radmin. However, its component can be placed on a computer without any installation procedure.

Upon execution, Remacc.Radmin can be configured to run in stealth mode, allowing the remote attacker to control the compromised computer. The ports used are configurable.

When Remacc.Radmin is installed, it does the following:
  1. Creates the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r_server

    so that a service is created.

  2. Creates a service with the following characteristics:

    Service Name: r_server
    Display Name: Remote Administrator Service

  3. Creates the following subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Administrator v2.2
    HKEY_LOCAL_MACHINE\System\RAdmin

  4. May modify the hosts file.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Remove all the entries that the risk added to the hosts file.
  3. Restart tne computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Remacc.Radmin.
  5. Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To remove all the entries that the risk added to the hosts file
  1. Navigate to the following location:

    • Windows 95/98/Me:
      %Windir%
    • Windows NT/2000/XP:
      %Windir%\System32\drivers\etc

      Notes:
    • The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Double-click the hosts file.
  3. If necessary, deselect the "Always use this program to open this program" check box.
  4. Scroll through the list of programs and double-click Notepad.
  5. When the file opens, delete all the entries added by the risk. (See the Technical Details section for a complete list of entries.)
  6. Close Notepad and save your changes when prompted.


3. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document: How to start the computer in Safe Mode .

4. Scanning for and deleting the files
Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files ."
Run a full system scan.
If any files are detected as Remacc.Radmin, click Delete.

5. To delete the value from the registry

Note: This procedure is optional. It is not likely that the keys, which currently known versions of this adware has added, will do any harm if they are not removed from the registry. Removal can be somewhat complex due to the randomly named files.

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry .

  1. Click Start, and then click Run.
  2. Type regedit

    Then click OK.
  3. Navigate to and delete the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Administrator v2.2
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r_server
    HKEY_LOCAL_MACHINE\System\RAdmin

  4. Exit the Registry Editor.