SPYWARE ALERT:
RapidBlaster

General Info | Full Alert Information | Protection | Removal Problems/Tools Last Updated: December 16, 2003 General Info: RapidBlaster runs as a task at Windows startup. It downloads advertising from the Internet and displays it periodically. ALERT REGARDING THE NEWEST VARIANT(S) OF RAPIDBLASTER The most recent variants of RapidBlaster will "morph" themselves to evade detection. Periodically, RapidBlaster will download data from its controlling server that contains a new folder and filename. It will then copy itself to that folder, terminate the original process, delete the original file, and run the new file in the new location. Since the folder and filenames that RapidBlaster uses are randomly sent from the server, and are not contained within the executable itself, it is very easy for the makers of RapidBlaster to simply update the list of folders/filenames that RapidBlaster uses. Thus, looking for the following folders/filenames should not be the only method of detection, and will not guarantee a RapidBlaster-free system. List of Known RapidBlaster filenames/folder locations (updated: July 11, 2003) - rb32.exe (In a "RapidBlaster" folder in Program Files) - realplay.exe (In a "RealPlay" folder in Program Files) - Notepad.exe (In a "Notepad" folder in Program Files) - Bsoft.exe (In a "BelmontSoft" folder in Program Files) - icon.exe (In a "Icon" folder in Program Files) - msys.exe > (In a "Msyss" folder in Program Files) - aimaol.exe (In a "Aimaol" folder in Program Files) - nvd32.exe ( In a Program Files\NvidStar directory) - syscon.exe (In a "Syscon" folder in Program Files) - winwan.exe (In a "Winwan" folder in Program Files) - taskmngr.exe > (In a "Taskmngr" folder in Program Files) - mcf.exe (In a "Mcf" folder in Program Files) - winsyslog.exe (In a "Winsyslog" folder in Program Files) - yahoo_toolbar.exe (In a "yahoo_toolbar" folder in Program Files) - surfer.exe (In a "mssurfer" folder in Program Files) - dkware.exe (In a "DonkeySoft" folder in Program Files) - kazaa.exe (In a "kazaa" folder in Program Files) - explorer.exe (In a "explorer" folder in Program Files) - newsgroup.exe (In a "newsgroup" folder in Program Files) - spool.exe (In a "spool" folder in Program Files) - msconfig.exe (In a "msconfig" folder in Program Files) - adaware.exe (In a "adaware" folder in Program Files) - iexplorer.exe (In a "iexplorer" folder in Program Files) <-- do not try deleting this unless you are sure it is RapidBlaster! - syslog.exe (In a "Syslog" folder in Program Files) - spybott.exe (In a "Spybott" folder in Program Files) - efaxs.exe (In a "efaxs" folder in Program Files) - win32_i.exe (In a "win32_i" folder in Program Files) - Mssurfer.exe (In a "surfer" folder in Program Files) - foobin.exe (In a "foo1" folder in Program Files) - Spywareguard.exe (In a "Spyguard" folder in Program Files) Compiled from information provided by Tony Klein and others. NOTE: If you find one of these files on your system it is highly recommended that you do not delete it until you can confirm that it is indeed RapidBlaster, and not a legitimate file. (The current variants of RapidBlaster are around 72 kb in size, but that could easily change.) We do not recommend that you try removing RapidBlaster manually - instead, try RapidBlaster Killer. RapidBlaster also sends what seems to be a unique ID to its controlling servers whenever it requests information (but especially when it requests a new path/filename to "morph" to). This ID seems to contain the local owner's name, stored on your PC, as well as other information. Removal of RapidBlaster can be difficult. Even if the user can identify where the file is hiding, trying to delete the startup entry in the HKEY_LOCAL_MACHINE Run key will result in RapidBlaster "morphing" to a new path/location. The running RapidBlaster process must be terminated before removal can be successful. It is highly recommended that users trying to manually remove RapidBlaster do so with extreme caution. Known Distribution Sites: RapidBlaster will be installed if you browse to various affiliate sites through an ActiveX drive-by-download. This ActiveX component will then download the latest RapidBlaster executable. Due to the adult-oriented nature of the affiliate sites, links are not provided. RapidBlaster may be installed by other spyware. There may also be many other methods of distribution that are not yet known. Protection: A database update was released on (6/7/2003) for SpywareBlaster that covers the latest variant of RapidBlaster. This will prevent the installation, but cannot prevent RapidBlaster from running once it is installed. Removal Problems/Tools: Since RapidBlaster will "morph" itself whenever it detects an uninstallation attempt, removal with current anti-spyware software may not be successful. We have created a unique tool, RapidBlaster Killer, that can scan all running programs, detect RapidBlaster, and successfully terminate the process and remove the Run key registry entry. The newest version can also clean up various RapidBlaster remnants. RapidBlaster Killer 1.61 - updated December 16, 2003 (mirrored by SpywareInfo) RapidBlaster Killer will create a log file named "scanlog.txt" in the same folder as "rbkiller.exe" if RapidBlaster is detected, and will notify the user of the file path/location (plus any other actions that took place during optional clean up). RapidBlaster Killer can now clean up various RapidBlaster remnants after a successful process termination!

Donate to Help Support This Site: | Contact | Forums | Copyright (C) 2003 Javacool Software LLC. All Rights Reserved. All trademarks are the property of their respective owners. This site is generously hosted by the Wilders Security Organization.