Aliases: Win32.RAhack, Backdoor.Win32.Agent.go, W32/RAHack, WORM_RAHACK.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 06 Jan 2005
Damage: Medium

Characteristics: W32.Rahack is a worm. It spreads to computers running Radmin software. It does this by exploiting weak passwords to connect to the Radmin server. The worm is a slow infector. It does medium damage to the infected computer and can be manually removed using an updated antivirus software.

More details about W32.Rahack

The worm W32.Rahack propagates to computers running Radmin software. Once executed, it creates the following files: mscolsrv.exe, server.dll, svchsot.exe, syshid.exe, and system.vbs. It also adds values to the registry key to ensure its execution every time Windows starts. It also creates the service MSCoolServ then searches for .htm and .html files. It copies itself using the same name, but with an EXE extension. The worm also inserts an objective tag into the .html files so that it executes every time the files are opened. It then searches for IP addresses running Radmin. The worm attempts to access the infected computers running Radmin by using any of the following passwords: 123456789, 11111111, 12345678, password, qwertyui, 00000000, and 12341234. Finally, it copies itself onto the remote computer as C:\wutemp\srvsxc.exe and attempts to execute itself.

The W32.Rahack application possibly terminates the processes of anti-virus programs. This is done by the program to avoid being detected and deleted from the infected machine. The program can also disable the whole system itself. This causes the infected computer to shutdown and restart by itself. Because of this program, the user’s PII (Personally Identifiable Information) may be transmitted to third parties because of the additional programs installed on the user’s computer. The infected system may also slow down in performance due to the installed programs. Users may notice new shortcut icons added on the desktop. These icons may have been added together with the applications that were downloaded.