Saturday, June 4, 2011

Remote Access Trojans (RAT) removal

Remote Access Trojans (RATS) are malicious programs that run invisibly on host PCs and permit an intruder remote access and control.

On a basic level, many RATs mimic the functionality of legitimate remote control programs such as TeamViewer but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs. Typically, exploited users either download and execute the malicious programs or are tricked into clicking rogue email attachments.

Remote Access Trojan Defined

Recent RATS create the following null registry keys; 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4046E19-9A33-3DA4-5EBC-CD6114454DBA} 

This key F4046E19-9A33-3DA4-5EBC-CD6114454DBA is not deletable using Registry Editor. You cannot search for it and delete it, Regedit will complain that it is not found!Use GMER tool (is an application that detects and removes rootkits and works with Win7) available at to find suspect rootkits and bad registry keys.

To remove a null registry key, you can use the toolkit provided by Mark Russinovich's suite of tools available from Microsoft  named Sysinternals. 

RegDelNull v1.1 This command-line utility searches for and allows you to delete Registry keys that contain embedded-null characters and that are otherwise undeleteable using standard Registry-editing tools. Note: deleting Registry keys may cause the applications they are associated with to fail. Back-up your registry and be sure you know what you are doing.