AIMaster

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Vendor Notes:	From the doc: 'What do i do with this?: Dont run it unless you want to f*ck up your computer. You email it (or whatever) to someone and have them run it. You can rename it. What it does: It sets itself up so that its hard to get rid of (like a virus). It looks for commands in the chat window, and when found, executes those commands.' AIMaster -client What it is: It sends commands to the remote AIMaster server through AIM chat. None of the commands are executed on your computer. How to use it: Send the server to someone who uses AIM and have them run it. Invite them to chat, if they're not there already. Then, run the client and fuck em up. Who made this amazing software?: Me (icarus). As far as I know, it is the first of its kind. My AIM SN is HomeyPot Hack. Is this illegal?: Probably "The revolution has begun..." -icarus AIMaster3.0-Lots faster. Commands sent through IMs. NOT detected by Antivirus software. Allows execution of the RATO VBS worm (Also not detected by antivirus) Enhanced virus routines. More commands. Doesnt send underscores. No known bugs.
Alias:	Backdoor Program [Panda], Backdoor.Aimaster, Backdoor.Aimaster [Kaspersky], Backdoor.Almaster [Kaspersky], Backdoor/Aimaster [Computer Associates], Backdoor/AIMaster.Server [Computer Associates], BackDoor-XT [McAfee], Bck/Aimaster [Panda], Bck/Almaster [Panda], security risk or a "backdoor" program [F-Prot], Win32.Aimaster.30 [Computer Associates], Win32/Aimaster.A trojan [Eset], Win32/Aimaster.A.Client trojan [Eset], Win32/Aimaster.C.Trojan [Computer Associates], Win32/Almaster.A trojan [Eset]
Category:	RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment. Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker. Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.
Similar Pests:	RAT · Backdoor · Trojan
Origins
Author:	Icarus
Group:	G2007L Security
By This Group:	Gh0std ·
Programming Language:	Visual Basic
Date of Origin:	October, 2001
Distribution
Prevalence:	AIMaster: < 0.00005% More Info
Clot Factor:	AIMaster: < 1 The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Operation
Storage Required:	AIMaster: at least 433 KB
ScreenShot:

AIMaster 1.0

AIMaster 3.0

Risks
Detection Issues:	Difficult to detect by design. May hide from process list. May install with variable names in variable locations.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Follow these steps to remove AIMaster from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
	Stop Running Processes: Kill these running processes with Task Manager: aimaster.exe aimasternonwinsck.exe backdoor.aimaster.exe c:\sf.exe client.exe server.exe systemroot+\desktop\aohell.exe
	Remove Files: Remove these files (if present) with Windows Explorer: aimaster.exe aimasternonwinsck.exe backdoor.aimaster.exe c:\sf.exe client.exe readme.txt readmeclient.txt readmeserver.txt server.exe systemroot+\desktop\aohell.exe systemroot+\system\wtc911.scr
Research
File Analyses:	AIMaster: aimaster.exe · aimasternonwinsck.exe · backdoor.aimaster.exe · client.exe · readme.txt · readmeclient.txt · readmeserver.txt · server.exe
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	PestPatrol's Pest Research Center
Last Revised:	April 14, 2005