|
-
June 8th, 2003, 02:28 PM
#1
IMPORTANT: RapidBlaster Parasite warning!
The most recent variants of RapidBlaster ( http://www.doxdesk.com/parasite/RapidBlaster.html ) will "morph" themselves to evade detection. Periodically, RapidBlaster will download data from its controlling server that contains a new folder and filename. It will then copy itself to that folder, terminate the original process, delete the original file, and run the new file in the new location.
Since the folder and filenames that RapidBlaster uses are randomly sent from the server, and are not contained within the executable itself, it is very easy for the makers of RapidBlaster to simply update the list of folders/filenames that RapidBlaster uses. Thus, looking for the following folders/filenames should not be the only method of detection, and will not guarantee a RapidBlaster-free system.
The following is a incomplete list of RB file names that have been spotted so far:
rb32 lptt01 = rb32.exe (In a "RapidBlaster" folder in Program Files)
- realplay lptt01 = realplay.exe (In a "RealPlay" folder in Program Files)
- Notepad lptt01 = Notepad.exe (In a "Notepad" folder in Program Files)
- Bsoft lppt01 = Bsoft.exe (In a "BelmontSoft" folder in Program Files)
- Icon lptt01 = icon.exe (In a "Icon" folder in Program Files)
- msys lptt01 = msys.exe (In a "Msyss" folder in Program Files)
- aimaol lptt01 = aimaol.exe (In a "Aimaol" folder in Program Files)
- nvd32 lptt01 = nvd32.exe ( In a Program Files\NvidStar directory)
- syscon lptt01 = syscon.exe (In a "Syscon" folder in Program Files)
- winwan lptt01 = winwan.exe (In a "Winwan" folder in Program Files)
- taskmngr lptt01 = taskmngr.exe > (In a "Taskmngr" folder in Program Files)
- Microfinder lptt01 = mcf.exe (In a "MicroFinder" folder in Program Files)
- winsyslog lptt01 = winsyslog.exe (In a "Winsyslog" folder in Program Files)
- yahoo_toolbar lptt01 = yahoo_toolbar.exe (In a "yahoo_toolbar" folder in Program Files)
- Surfer lptt01 = surfer.exe (In a "mssurfer" folder in Program Files)
- Dkware lptt01 = dkware.exe (In a "DonkeySoft" folder in Program Files)
- Kazaa lptt01 = kazaa.exe (In a "kazaa" folder in Program Files)
- Explorer lptt01 = explorer.exe (In a "explorer" folder in Program Files)
- Newsgroup lptt01 = newsgroup.exe (In a "newsgroup" folder in Program Files)
- Spool lptt01 = spool.exe (In a "spool" folder in Program Files)
- Msconfig lptt01= msconfig.exe (In a "msconfig" folder in Program Files)
- Adaware lptt01 = adaware.exe (In a "adaware" folder in Program Files)
- iexplorer lptt01 = explorer.exe (In a "iexplorer" folder in Program Files)
- Syslog lptt01 = Syslog.exe (In a "Syslog" folder in Program Files)
Javacool of Javacoolsoftware fame has reacted with great speed, and issued a RapidBlaster killer, which will find any RapidBlaster variants on your system, will kill the process, and delete the Registry Run entry.
Once the process has been terminated, find the program's folder in Program Files, and simply delete it!
Read about it here: http://www.wilderssecurity.net/speci...idblaster.html
Last edited by Kleinkramer; June 8th, 2003 at 07:46 PM.
-
June 8th, 2003, 03:14 PM
#2
WOW!!!
Sounds like a virus...
Do'nt take a Shock Rifle to a Flak Cannon fight...
-
June 8th, 2003, 03:17 PM
#3
Yeah, it's a major pain! 
Using RB KIller it's a cinch to remove, fortunately.
And no doubt the folks at Lavasoft and SpyBot will be issuing updated RapidBlaster detection before long as well.
-
June 8th, 2003, 07:41 PM
#4
Thank you very much Tony!  Don't think i have this nasty,but have dn/loaded the rbkiller and will update my SpywareBlaster immediately!
Stupid question? No such thing!
Virtual Dr. to the rescue!
Just ask. Bookmark your post for easy reference.
==================================
-
June 8th, 2003, 07:50 PM
#5
You're welcome, Ridgerunr.
It's not a particularly dangerous little b*gger, but due to all that morphing it's extremely hard to get a grip on.
I keeps slipping away and resurfacing.
However, despite all these different file names, the files themselves are absolutely identical, which shouldn't make programmatic detection very hard once the Ad-Aware and SpyBot coders get to grips with it.
Cheers,
-
June 11th, 2003, 02:02 AM
#6
Excellent news:
RapidBlaster Killer has been updated, and is now at v. 1.3
New features:
It will not only terminate the task, and remove the run entry, but also give the user the option of exiting (not the default choice) or proceeding to delete the file(s) and cleanup.
So the program can now:
-Delete the RapidBlaster file(s)/folder(s).
-Delete the Uninstall entry/entries.
No need to do any additional manual cleaning.
In short: it will delete ALL of this new version of RapidBlaster, and at present it's the only application which does!
RB Killer 1.3 download:
http://www.spywareinfo.com/downloads/rbkil...er/rbkiller.exe
or
http://www.wilderssecurity.net/downloads/rbkiller.exe
The webpage: http://www.wilderssecurity.net/specialinfo...pidblaster.html
-
June 11th, 2003, 04:17 PM
#7
Thanks for the update Tony. Got it...
Stupid question? No such thing!
Virtual Dr. to the rescue!
Just ask. Bookmark your post for easy reference.
==================================
-
February 3rd, 2004, 01:48 PM
#8
I found this site in a search engine and have been plagued with the Rapid blaster menace for quite some time but after searching through the links I put stop to it with a simple download. I had to become a member to say thanks and tell you how much I appreciate it.
-
February 3rd, 2004, 02:16 PM
#9
Welcome to Virtualdr freeezz
Thanx for letting us know.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
