1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IMPORTANT: RapidBlaster Parasite warning!

Discussion in 'Virus & Other Malware Removal' started by TonyKlein, Jun 8, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. TonyKlein

    TonyKlein Malware Specialist Thread Starter

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    The most recent variants of RapidBlaster ( http://www.doxdesk.com/parasite/RapidBlaster.html ) will "morph" themselves to evade detection. Periodically, RapidBlaster will download data from its controlling server that contains a new folder and filename. It will then copy itself to that folder, terminate the original process, delete the original file, and run the new file in the new location.

    Since the folder and filenames that RapidBlaster uses are randomly sent from the server, and are not contained within the executable itself, it is very easy for the makers of RapidBlaster to simply update the list of folders/filenames that RapidBlaster uses. Thus, looking for the following folders/filenames should not be the only method of detection, and will not guarantee a RapidBlaster-free system.

    The following is a incomplete list of RB file names that have been spotted so far:

    rb32 lptt01 = rb32.exe (In a "RapidBlaster" folder in Program Files)

    - realplay lptt01 = realplay.exe (In a "RealPlay" folder in Program Files)

    - Notepad lptt01 = Notepad.exe (In a "Notepad" folder in Program Files)

    - Bsoft lppt01 = Bsoft.exe (In a "BelmontSoft" folder in Program Files)

    - Icon lptt01 = icon.exe (In a "Icon" folder in Program Files)

    - msys lptt01 = msys.exe (In a "Msyss" folder in Program Files)

    - aimaol lptt01 = aimaol.exe (In a "Aimaol" folder in Program Files)

    - nvd32 lptt01 = nvd32.exe ( In a Program Files\NvidStar directory)

    - syscon lptt01 = syscon.exe (In a "Syscon" folder in Program Files)

    - winwan lptt01 = winwan.exe (In a "Winwan" folder in Program Files)

    - taskmngr lptt01 = taskmngr.exe > (In a "Taskmngr" folder in Program Files)

    - Microfinder lptt01 = mcf.exe (In a "MicroFinder" folder in Program Files)

    - winsyslog lptt01 = winsyslog.exe (In a "Winsyslog" folder in Program Files)

    - yahoo_toolbar lptt01 = yahoo_toolbar.exe (In a "yahoo_toolbar" folder in Program Files)

    - Surfer lptt01 = surfer.exe (In a "mssurfer" folder in Program Files)

    - Dkware lptt01 = dkware.exe (In a "DonkeySoft" folder in Program Files)

    - Kazaa lptt01 = kazaa.exe (In a "kazaa" folder in Program Files)

    - Explorer lptt01 = explorer.exe (In a "explorer" folder in Program Files)

    - Newsgroup lptt01 = newsgroup.exe (In a "newsgroup" folder in Program Files)

    - Spool lppt01= spool.exe (In a "spool" folder in Program Files)

    - Msconfig lppt01 = msconfig.exe (In a "msconfig" folder in Program Files)

    - Adaware lppt01 = lptt01 adaware.exe (In a "adaware" folder in Program Files)

    - iexplorer lptt01 = explorer.exe (In a "iexplorer" folder in Program Files)

    - Syslog lptt01 = Syslog.exe (In a "Syslog" folder in Program Files)


    Javacool of Javacoolsoftware fame has reacted with great speed, and issued a RapidBlaster killer, which will find any RapidBlaster variants on your system, will kill the process, and delete the Registry Run entry.

    Once the process has been terminated, find the program's folder in Program Files, and simply delete it!

    Read about it here: http://www.wilderssecurity.net/specialinfo/rapidblaster.html
     
  2. Aaron.W

    Aaron.W

    Joined:
    May 8, 2003
    Messages:
    485
    . . . and it may help to block the subnet 217.116.231 "VIDEO-PLAY.COM" so it can't call home for updates. ;]
     
  3. Davey7549

    Davey7549

    Joined:
    Feb 28, 2001
    Messages:
    11,584
    Tony
    Can one assume if they see the tag of lptt01 it is a rapidblaster derivative?

    Dave
     
  4. TonyKlein

    TonyKlein Malware Specialist Thread Starter

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    That may be worth a try! (y)

    I think that would be a safe assumption, Dave. I can't remember any other startups that look like that.
     
  5. Davey7549

    Davey7549

    Joined:
    Feb 28, 2001
    Messages:
    11,584
    Tony
    Thanks for the info! I generally do not handle heavy security issues since you guys are better at it but it is good to know if I see it!:D

    Dave
     
  6. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    Tony - thanx for the info. I still think (for those that have any interest), that the best protection mechanism for malware, trojans and virii is a thorough understanding of the processes (and mutexes) which run on your machine normally. You will at least recognize that something has changed that way (once you become familiar with them).
    A good start along these lines is a utility which will show you the processes (and mutexes), as well as the cpu utilization of a process. A utility such as Process Explorer is an excellent start. It takes a little time to get a grasp on the normal processes and will probably surprise you with what's running in a normal sense (you may well end up with questions :) ). It's also a good process killer for those cases where a file is un-deletable because it's in use.
    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
     
  7. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Tony....what suggestions would you have for myself as well as others who read this for some type of program that would be running while online to help in keeping these as well as other nasties out of your system ?
     
  8. TonyKlein

    TonyKlein Malware Specialist Thread Starter

    Joined:
    Aug 26, 2001
    Messages:
    10,392
  9. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    There was someone in chat yesterday with RapidBlaster-pointed him towards the rbkiller program and instead he just deleted the whole CLSID section of the registry because he thought that might fix it! Instructed him to restore the registry, but I don't think he did. So this is definitely a good thread!

    At this point its beyond advertising and antivirus software should pick this up!
    It calls home for updates.
    Executes arbitrary code.
    Random Filenames.
    Clearly tries to avoid detection.

    Maybe the ISP running it can get ahold of its update site and make an update that will remove the virii-like spyware?
     
  10. TonyKlein

    TonyKlein Malware Specialist Thread Starter

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Well, BOClean and Kaspersky are at this moment targeting it, and DiamondCS and ESET will soon. Others wil probably follow.

    I'm sorry to say that Ad-Aware with reffile #145 doesn't do a thorough job yet.

    I just tested it on RapidBlaster:

    Only once out of 5 trials it detected and terminated the running process, which isn't good... :rolleyes:

    None of the five times it removed the file.

    I guess we'll be recommending RB Killer for a while yet!
     
  11. TonyKlein

    TonyKlein Malware Specialist Thread Starter

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Excellent news:

    RapidBlaster Killer has been updated, and is now at v. 1.3

    New features:

    It will not only terminate the task, and remove the run entry, but also give the user the option of exiting (not the default choice) or proceeding to delete the file(s) and cleanup.

    So the program can now:

    -Delete the RapidBlaster file(s)/folder(s).
    -Delete the Uninstall entry/entries.

    No need to do any additional manual cleaning. :)
    In short: it will delete ALL of this new version of RapidBlaster, and at present it's still the only application which does!


    RB Killer 1.3 download:

    http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe
    or
    http://www.wilderssecurity.net/downloads/rbkiller.exe

    The webpage: http://www.wilderssecurity.net/specialinfo/rapidblaster.html
     
  12. PCfixer

    PCfixer

    Joined:
    Jul 8, 2003
    Messages:
    31
    Good information, thanks for taking the time to report it, if more of these warnings were posted life would be easier on the PC, prevention is the best cure. Cheers Dave
     
  13. valgobo

    valgobo

    Joined:
    Jul 12, 2003
    Messages:
    12
    Hi, tony

    I got a problem with my internet explorer 6 (ie6).

    I cannot open hotmail.com and as well whenever iam brousing different websites say, mcafee.com, or yahoo.com etc, one of the pages could not open at all. for example,

    On Mcafee.com i want to scan online for virus. for this i can go upto actual "scan now" page after passing through different pages for logins and agreements etc. but i cannot actually execute a scan.

    similarly i CANNOT open hotmail.com home page THROUGH internet explorer BUT same page works perfectly through NETSACPE 7.0

    When i read ur forums i checked for RB32 folder and also scanned "Hijack this" "Rapidblaster killer" "spywareblaster"
    i found rb and removed RB32 folder from my system in safe mode.

    But still then the same problem persists ??
    I have also reinstalled internet explorer but all in vein.

    Can u suggest me something else please......

    help !!

    valgobo.
     
  14. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Please don't post your questions in other threads that are on different topics. Start your own thread.
     
  15. bassetman

    bassetman Moderator (deceased) - Gone but never forgotten

    Joined:
    Jun 7, 2001
    Messages:
    47,973
    Thanks for all the great info! :D
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/138563

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice