Aliases: Win32.Badmin, Tool-IPCScan, Win32.IPCScan.200, Win32.IRCFlood, BAT.IRCFlood
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 02 Sep 2004
Damage: Low

Characteristics: Win32.Remadmin is a worm that infects Windows systems. It spreads through Windows file sharing, and installs a backdoor. This allows complete control of an affected system. It consists of multiple files that include batch files and Win32 executables It propagates in the form of a self-extracting RAR archive.

More details about W32.Remadmin

Win32.Remadmin contains a self-extracting RAR called "rar.exe". When infecting a computer, Win32.Remadmin copies rar.exe to the System directory and executes it. It then launches "SecScan.exe -i". The file SecScan.exe is installed as a service. The service is starts the worm by launching ftp.bat with the following command:"cmd.exe /c ftp.bat". The file ftp.bat creates a new local user account using the username "admin". The worm may create one or more user accounts in the administrators group. It may also add the account to the following local groups: administratoren, administrators, and administrateurs. It also executes Star.cmd, which starts the following services: RemoteRegistry, NetBios, TlntSvr (Telnet), and TermServ. The worm W32.Remadmin installs msdos.exe on the infected computer. This is a modified version of RAdmin. This file runs as a backdoor.

The Win32.Remadmin software uses the affected computer’s Internet connection to access remote websites. It downloads illicit files and programs on the user’s machine. This program changes the user’s home page. Apart from downloading illicit programs, this application is also capable of spreading threats to other computers. The propagation of threats may be done via P2P (peer-to-peer) file sharing programs. The Shared folder on P2P programs allows users to access files from other systems. Threats may be downloaded by users unknowingly. They are usually disguised under filenames of legitimate programs and popular downloads.