Radmin Dropper

Radmin Dropper
(Not detected by KAV on July 02, 2005)
by tansuoufo
Written in Visual Basic
Released in May 2004
Made in China




Dropped Files:
c:\WINDOWS\system32\admdll.dll         Size: 46,592 bytes 
c:\WINDOWS\system32\r_server.exe       Size: 176,128 bytes 
c:\WINDOWS\system32\raddrv.dll         Size: 17,408 bytes 
c:\WINDOWS\system32\readme1.htm        Size: 453 bytes 
c:\WINDOWS\system32\twmm.gif           Size: 15,025 bytes 
c:\WINDOWS\system32\WindowsUpdate.exe  Size: 60,928 bytes 
c:\WINDOWS\system32\zdhxn.htm          Size: 965 bytes 
c:\WINDOWS\system32\zdhxn.mid          Size: 14,652 bytes 

port: 6319 TCP

added to registry:
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{083863F1-70DE-11D0-BD40-00A0C911CE86}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{083863F1-70DE-11D0-BD40-00A0C911CE86}\{31345649-0000-0010-8000-00AA00389B71}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{083863F1-70DE-11D0-BD40-00A0C911CE86}\{A2551F60-705F-11CF-A424-00AA003735BE}
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_R_SERVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_R_SERVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_R_SERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\r_server
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\r_server\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\r_server\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\r_server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\r_server\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\r_server\Security
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\iplist
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters



tested on Windows XP
April 23, 2005
MegaSecurity