Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007
Risk Impact:
File Names:
Systems Affected:


Remacc.SAdoor is a backdoor program that uses a covert communication channel. It monitors network traffic on the host system and carries out certain actions if it sees a certain packet.


Your Symantec antivirus program detects Remacc.SAdoor.


Remacc.SAdoor is normally installed by an intruder as a backdoor to the compromised system. However it can also be used as an remote administration tool.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 29 December 2003
  • Latest Daily Certified version 26 January 2015 revision 023
  • Initial Weekly Certified release date 31 December 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Remacc.SAdoor is executed, it monitors network traffic on a selected network interface. When it sees a certain packet, it will perform one of the following actions:
    • Execute a shell command
    • Connect to a remote host through TCP
    • Listen on a TCP port for a remote client to connect

The command data that is sent after trigger packet is found is encrypted.

The packet that is used to trigger Remacc.SAdoor is configurable. It can be an IP, ICMP, UDP or TCP packet with certain characteristics. The characteristics that can be examined include:
    • The source and destination ports
    • The beginning of a payload
    • TCP flags
    • Sequence and acknowledge numbers
    • ICMP types
    • ICMP codes
    • ICMP echo identity numbers
    • IP TOS and TTL values

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Remacc.SAdoor.
For specific details on each of these steps, read the following instructions:

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
    1. Start your Symantec antivirus program and run a full system scan..
    2. If any files are detected as Remacc.SAdoor, click Delete.

      Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.