Weekly Spyware Alert: RapidBlaster

 
 
By Webroot Software Development Team  |  Posted 2003-06-23 Print this article Print
 
 
 
 
 
 
 

This nasty piece of code regularly downloads data from its controlling server to your PC, and then morphs itself into a new version and erases its tracks. Ouch.

Aliases: rb32 (its executable name) Variants: RapidBlaster/v1 is the original version. RapidBlaster/lp is an update using a slightly different names. RapidBlaster/Ainst is an ActiveX installer used to load v1 or lp.
The most recent variants of RapidBlaster have been observed "morphing" themselves to evade detection. RapidBlaster periodically downloads data from its controlling server that contains a new folder and filename. It then copies itself to that folder, terminates the original process, deletes the original file, and runs the new file in the new location.
Since the folder and filenames that RapidBlaster uses are randomly sent from the server, and are not contained within the executable itself, it is very easy for the makers of RapidBlaster to simply update the list of folders/filenames that RapidBlaster uses. Thus, looking for known folders/filenames isnt recommended as the only means of detection, as it will not guarantee complete removal of the spy. Description: RapidBlaster is a task run on Windows startup. When an internet connection is present it periodically connects to its servers to fetch advertising. Click here for more details, including removal instructions
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel