Content
RemAdm-JRAT
- Type
- Program
- SubType
- Remote Access
- Discovery Date
- 09/20/2007
- Length
- Minimum DAT
- 5125 (09/21/2007)
- Updated DAT
- 5126 (09/24/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 09/20/2007
- Description Modified
- 09/20/2007 2:16 PM (PT)
Tab Navigation
Characteristics
McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.aspx for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.
Distribution
This is not a virus or a Trojan. It is detected as a potentially unwanted program. It is a remote administration tool used to control functions of a target computer over a network.
Though the main installation package does show an installation interface and license agreement, the server component, consisting only of a single file, displays nothing when run. The license agreement refers to the "Jashsoft Virus Scan Software" which appears incongruous with the actual function of the software as a remote administration tool. The agreement does not clearly indicate the functionality of the software. Only three short sections are present, the last of which would seem to preclude even using the software as intended for remote administration:
"END-USER LICENSE AGREEMENT FOR JASHSOFT VIRUS SCAN SOFTWARE
...
1. Do not use the same copy of the Virus Scan software on more than 3 computers.
2. Do not make illegal copies of this software.
3. Do not install it on LAN Networks."
The administrator component does include functionality to scan a system over the network, checking for responses by certain known malware that listen on open ports that could indicate possible infection. This would also be directly contradicted by point #3 of the EULA.
The server component need only be executed on the system to be remotely controlled. No visual indication is given that the software is running, and it remains running until the system is restarted or the process is manually halted via the Task Manager or similar tool.
Privacy
A privacy policy is not displayed during installation, nor is one available at the author's website (www.jashsoft.com)
There are privacy implications for users of systems on which the server component is running. Data regarding what programs are running can be obtained with the client, and many system and interface functions can be manipulated.
System Changes
General defaults for typical path variables (although they may be different, they usually are not):
%ProgramFiles% = \Program Files
Files Added
- Installer: jsnrat.exe (238 KB, MD5: FE5632ED3B10BCC703BFF127173DA7CB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\update.ico (1 KB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\uninstal.exe (73 KB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\trojanlist.mdb (86 KB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\nethood.ico (1 KB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\Jashsoft RAdmin.exe (580 KB, MD5: 31D47B4E037EEF1C202A72F59EC58219)
- %ProgramFiles%\Jashsoft Remote Admin Pack\Jashsoft Patch.exe (96 KB, MD5: B1AD56ABC4DBDD3BECE266494CBEAD7E)
- %ProgramFiles%\Jashsoft Remote Admin Pack\Jashsoft EULA.txt (1 KB)
- c:\documents and settings\(user name)\start menu\programs\Jashsoft Remote Admin Pack\Uninstall Jashsoft Remote Admin Pack.lnk (1 KB)
- c:\documents and settings\(user name)\start menu\programs\Jashsoft Remote Admin Pack\Jashsoft Remote Administrator.lnk (1 KB)
- c:\documents and settings\(user name)\desktop\jashsoft remote administrator.lnk (1 KB)
Registry
The following registry keys are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\Jashsoft Remote Admin Pack]
"UninstallString"="C:\Program Files\Jashsoft Remote Admin Pack\Uninstal.exe"
"DisplayName"="Jashsoft Remote Admin Pack"
Network Impact
The server component listens on the following network connection(s):
- Jashsoft Patch.exe - TCP 3333
Additional overhead in bandwidth due to transmission of system and control data when a remote administrator is connected.
Symptoms
Method of Infection
Variants
Variants
N/A
All Information
Overview -
Characteristics
Characteristics -
McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.aspx for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.
Distribution
This is not a virus or a Trojan. It is detected as a potentially unwanted program. It is a remote administration tool used to control functions of a target computer over a network.
Though the main installation package does show an installation interface and license agreement, the server component, consisting only of a single file, displays nothing when run. The license agreement refers to the "Jashsoft Virus Scan Software" which appears incongruous with the actual function of the software as a remote administration tool. The agreement does not clearly indicate the functionality of the software. Only three short sections are present, the last of which would seem to preclude even using the software as intended for remote administration:
"END-USER LICENSE AGREEMENT FOR JASHSOFT VIRUS SCAN SOFTWARE
...
1. Do not use the same copy of the Virus Scan software on more than 3 computers.
2. Do not make illegal copies of this software.
3. Do not install it on LAN Networks."
The administrator component does include functionality to scan a system over the network, checking for responses by certain known malware that listen on open ports that could indicate possible infection. This would also be directly contradicted by point #3 of the EULA.
The server component need only be executed on the system to be remotely controlled. No visual indication is given that the software is running, and it remains running until the system is restarted or the process is manually halted via the Task Manager or similar tool.
Privacy
A privacy policy is not displayed during installation, nor is one available at the author's website (www.jashsoft.com)
There are privacy implications for users of systems on which the server component is running. Data regarding what programs are running can be obtained with the client, and many system and interface functions can be manipulated.
System Changes
General defaults for typical path variables (although they may be different, they usually are not):
%ProgramFiles% = \Program Files
Files Added
- Installer: jsnrat.exe (238 KB, MD5: FE5632ED3B10BCC703BFF127173DA7CB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\update.ico (1 KB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\uninstal.exe (73 KB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\trojanlist.mdb (86 KB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\nethood.ico (1 KB)
- %ProgramFiles%\Jashsoft Remote Admin Pack\Jashsoft RAdmin.exe (580 KB, MD5: 31D47B4E037EEF1C202A72F59EC58219)
- %ProgramFiles%\Jashsoft Remote Admin Pack\Jashsoft Patch.exe (96 KB, MD5: B1AD56ABC4DBDD3BECE266494CBEAD7E)
- %ProgramFiles%\Jashsoft Remote Admin Pack\Jashsoft EULA.txt (1 KB)
- c:\documents and settings\(user name)\start menu\programs\Jashsoft Remote Admin Pack\Uninstall Jashsoft Remote Admin Pack.lnk (1 KB)
- c:\documents and settings\(user name)\start menu\programs\Jashsoft Remote Admin Pack\Jashsoft Remote Administrator.lnk (1 KB)
- c:\documents and settings\(user name)\desktop\jashsoft remote administrator.lnk (1 KB)
Registry
The following registry keys are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\Jashsoft Remote Admin Pack]
"UninstallString"="C:\Program Files\Jashsoft Remote Admin Pack\Uninstal.exe"
"DisplayName"="Jashsoft Remote Admin Pack"
Network Impact
The server component listens on the following network connection(s):
- Jashsoft Patch.exe - TCP 3333
Additional overhead in bandwidth due to transmission of system and control data when a remote administrator is connected.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs
Variants
Variants -
N/A
