McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Ripjac (Symantec)

Characteristics

This trojan allows a hacker to remotely take control of the infected computer. It copies itself as 'SYNCHOST.EXE' into the C:\%Windir% directory and hooks the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

With the value: "Remote Access Slave" C:\%windir%\Synchost.exe

By modifying the registry in this way it allows itself to execute after every time the computer is re-started.

The trojan also opens port 4999 to allow the hacker access to the infected computer.

Symptoms

Existence of C:\%Windir%\Synchost.exe

The existence of the following registry key value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Remote Access Slave" C:\%windir%\Synchost.exe

Method of Infection

Execution of the file containing the trojan.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Ripjac (Symantec)

Characteristics

Characteristics -

This trojan allows a hacker to remotely take control of the infected computer. It copies itself as 'SYNCHOST.EXE' into the C:\%Windir% directory and hooks the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

With the value: "Remote Access Slave" C:\%windir%\Synchost.exe

By modifying the registry in this way it allows itself to execute after every time the computer is re-started.

The trojan also opens port 4999 to allow the hacker access to the infected computer.

Symptoms

Symptoms -

Existence of C:\%Windir%\Synchost.exe

The existence of the following registry key value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Remote Access Slave" C:\%windir%\Synchost.exe

Method of Infection

Method of Infection -

Execution of the file containing the trojan.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A