BKDR_RMTSVC.U
Backdoor:Win32/Rmtsvc.C!bit (Microsoft)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Backdoor injects codes into the following process(es):
- explorer.exe
NOTES:
Once executed, a remote malicious user can access a web page hosted on the affected machine using Port 7778. This web page contains a control panel where a remote user can perform remote commands.
It has the following capaibilities:
- Screen view
- Fully control
- Send Ctrl + Alt + Del
- Set the clipboard
- Get the clipboard
- Run a program
- Shutdown
- Restart
- Log off
Remote management
- Telnet control
- File management
- Process list
- Port list
- Service list
- The registry
- FTP management
VIDC management
- UPnP port mapping
- Local port mapping
- Remote port mapping
- VIDC service management
- Proxy service configuration
- Configure import and export
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as BKDR_RMTSVC.U. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.