The Revenger

· Overview ·
· Origins ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Vendor Notes:	A client for 22 remote access trojans, and removes 257 remote access trojans and 9 file joiners. heuristics, the ability to scan entire folders, added the option to edit the autostarted files, automatic autostart file monitoring.
Alias:	Backdoor.Revenger.10, Backdoor.Revenger.150
Category:	RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.
Variants:	The Revenger 1.0 The Revenger 1.5
Similar Pests:	RAT
Origins
Author:	Chucky,
By This Author:	H2Hack · Revenger 0.2 · The Revenger 1.5 · Y3K Remote Administration Tool · Y3K Remote Administration Tool 1.0 · Y3K Remote Administration Tool 1.1 · Y3K Remote Administration Tool 1.2 · Y3K Remote Administration Tool 1.2 deutsch · Y3K Remote Administration Tool 1.3 · Y3K Remote Administration Tool 1.4 · Y3K Remote Administration Tool 1.4b · Y3K Remote Administration Tool 1.5 · Y3K Remote Administration Tool 1.6 · Y3K Remote Administration Tool 1.6 MegaSecurity · Y3K Remote Administration Tool 1.7 · Y3K Remote Administration Tool pro 0.1 · Y3K Remote Administration Tool Pro 0.2
Programming Language:	Visual Basic
Date of Origin:	Variants from September, 1999 to September, 2001
Operation
Default Port:	58850, 58886 TCP More info about ports.
Storage Required:	The Revenger 1.0: at least 2573 KB The Revenger 1.5: at least 289 KB
Restart:	HKLM\Software\Microsoft\Windows\CurrentVersion\Run "AppName" HKCU\Software\Microsoft\Windows\CurrentVersion\Run "Gytjeingm" HKCU\Software\Mirabilis\ICQ\Agent\Apps\Ajb "Path" HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Bjrf" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices "Avp" Autostarting Pests
ScreenShot:

The Revenger 1.0

The Revenger 1.5

Risks
Detection Issues:	Difficult to detect by design. May hide from process list. May install with variable names in variable locations.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Follow these steps to remove The Revenger from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
	Stop Running Processes: Kill these running processes with Task Manager: client.exe server.exe the revenger 1.0.exe the revenger.exe
	Remove Files: Remove these files (if present) with Windows Explorer: about.txt client.exe server.exe the revenger 1.0.exe the revenger.exe
Research
File Analyses:	The Revenger 1.0: about.txt · server.exe · the revenger 1.0.exe · the revenger.exe The Revenger 1.5: about.txt · client.exe · server.exe
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	PestPatrol's Pest Research Center
Last Revised:	August 01, 2004