RemoteAccess:Win32/RemoteAnything

RemoteAccess:Win32/RemoteAnything, detected by Microsoft in August 2011, is a Trojan which sneaks into the system unnoticed. Due to its cunning components, the users cannot detect and remove it from the system easily.

One of the malicious files is slave.exe which is widely known as a component of RemoteAccess:Win32/RemoteAnything. This file creates the registry keys which allow the Trojan to start running when the user logs in to the system. In addition, the file might initiate security messages and warnings, gather information and send it to remote computers and also send mime emails.

In addition, the Trojan uses such valid file names as divxinstaller813.exe and avast!-5.exe to hide itself in the system. For example, divxinstaller813.exe is attributed to DivX Setup, which is a video player. After the installation of the program, divxinstaller813.exe is normally located in the folder “Program Files”. However, if you find this name somewhere outside the folder, you should get suspicious about this file and the reason of its presence. The malicious divxinstaller813.exe creates more files in the system so that the infection is not detected easily, and attempts to collect email addresses and personal information. Moreover, the name of the security tool Avast is also used to hide the Trojan. Scan your system for infections if you find avast!-5.exe, even though you do not have Avast installed.

In addition, RemoteAccess:Win32/RemoteAnything uses a Windows process name lssas.exe to trick PC’s users. The process LSASS supervises whether the user provides the system with the correct information to access the system and administrates the modifications of the passwords. This process can be found in the Task Manager. Interestingly, when the name of the file used to hide the infection, the name lsass.exe (lower L) is changed into a capitalised i, and the users might be easily mistaken by this modification.

As a result, RemoteAccess:Win32/RemoteAnything will not be removed from the system if the malicious components remain undetected. Thus, to delete this infection and protect your data, we recommend using a legitimate security tool which will detect and remove the Trojan automatically. Do not attempt to get rid of this infection manually, because you might delete legitimate system files and cause serious damage to the system.