> Spyware Encyclopedia Page 30 > Beast >

Beast removal

Spyware Beast Information
Name: Beast Category: RAT Author: Tataye Coded in: Delphi. Compressed with ASPack. Dangerous: Yes

Beast is RAT - spyware.
You should remove it from your system as soon as possible.

Beast description by Tataye:

1.7: Vendor: ´both client & server are embedded in one exe. When running the exe you´ve two options - run as a Client or as a Server. All you´ve to do is to run once Beast as a Server on the victim´s computer. Before installing, the server made to be edited (i.e. you can define the trojan name, the port & a password for connection). The Trojan will start automatically at the Windows boot ´ 1.8: Vendor: ´The server & the client are embedded in one exe - a trojan pack. When running the exe you won´tice there are two options - Run Client or Build Server. If you choose the building option, you´ll be prompt to configure the server & afterwards the server is extracted with your settings. SERVER FEATURES: - define the listening port - define the password for connection - define the name - choose an icon (there are few built-in icons or you can select another from specific any file - exe, ico, dll) - the server can´t be edited after extraction - good start-up methods (these can´t be selected) - option for melting the server - option for Firewall and AV killing - define ICQ notification - define mail notification - hotkeys: if testing server on your own computer you can stop it till next boot with CTRL-ALT-SHIFT-DOWN & kill it with CTRL-ALT-SHIFT-TAB - size ~193K (not bad for a delphi app) - only one port opened for all downloads, uploads, commands CLIENT FEATURES: - file manager: download, upload, erase all any file etc. - windows options: power-off, shutdown, reboot, log off, hide all apps, near all apps - app manager - process manager - get log: all the keys & opened windows are stored in an encrypted file - message box - clipboard - update server - fun stuff: enable-disable taskbar etc.´ 1.90: Vendor: ´The server, the client & the server editor are embedded in one exe - a trojan pack. When you choose to build the server, you´ll be prompt to configure the server & afterwards it will be extracted with your settings. Server features: - define the listening port - define the password for connection - define the name - choose an icon (there are few built-in icons or you can select ANY icon from specific any file - exe, ico, dll) - the server can´t be edited after extraction - 2 start-up methods (if you choose the ´continuous´ method the server will be executed every time an exe is ran; this method has an side effect, the computer can´t be restarted or shut down from the start button - this is not a application bug, but i will try to bypass this annoying thing on the next version) - option for melting the server on the 1st run - option for keylloger - option for Firewall and AV killing (over 300 AV-FW are killed) - define ICQ notification - define mail notification - option for hotkeys: if enabling this option you can stop the server with CTRL-ALT-SHIFT-DOWN & kill it with CTRL-ALT-SHIFT-TAB (this could be useful when testing the server or your own computer) - size: ~31K - only one port opened for all downloads, uploads, commands - stability: 100% (you can try to crash the server & if you succeed please let me know) - server memory usage: 200-500k (could be sometime a little greater, but for short period) Client Features: - file manager: download, upload, erase all any file (beginning with the last drive ;-)) etc. - windows options: power-off, shutdown, reboot, log off, hide all apps, near all apps - app manager: view/kill visible apps - process manager: you can kill any NT service - registry manager: view, add, remove keys (values) - get log: all the keys & opened windows are trapped & stored in an encrypted file - message box: send messages to the server - clipboard: view and define clipboard text - update server - fun stuff: enable-disable taskbar etc. etc.´ 2.01: Vendor: ´One of the Fearless coders, Simon Vallor (AKA Gobo), is in jail from January 2003. He was convicted by the London´s Southwark Crown Court to 2 years in jail & this for few harmless viruses made by him in 2001. Show your support for Gobo at: www.freegobo.com/.´ Beast 2.02: New features: - multithreaded client/server (few tasks in the same time) - multibinder with a 6.x kB stub, coded in Delphi7 :P - ICQ2003 password support - run apps & receive output (app redirect) - download directories - skins Improvements: - speed up all the transfers with ~40% - smart port listening (i.e. if the port is used, find another) - smaller servers :P - XP firewall service stop & disable - better on-line checking - & others more subtle Fixes: - no security hole, cracking is not possible anymore - no more IP/Port Scanner crashes - clipboard manager (no errors if the clipboard information is big) - screen manager (the pictures made to be saved in any directory) - etc. Issues: - with beast 2.02 you CAN´T connect to older servers! Tataye

This RAT is also known as:

•Backdoor.Beastdoor.18.
• Backdoor.Beastdoor.18.b.
• Backdoor.Beastdoor.18.c.
• Backdoor.Beastdoor.18.d.
• Backdoor.Beastdoor.19.
• Backdoor.BeastDoor.191.
• Backdoor.BeastDoor.192.a.
• Backdoor.BeastDoor.192.d.
• Backdoor.BeastDoor.192.e.
• Backdoor.Beastdoor.200.a.
• Backdoor.Beastdoor.200.b.
• Backdoor.Beastdoor.200.c.
• Backdoor.Beastdoor.200.d.
• Backdoor.Beastdoor.200.e.
• Backdoor.Beastdoor.201.a.
• Backdoor.Beastdoor.201.b.
• Backdoor.Beastdoor.202.
• Backdoor.BeastDoor.205.
• Backdoor.Delf.eu.
• BNB - named by Computer Associates.
• Univ - named by Panda.
• Vienna.BNB.429 - named by Kaspersky.
• Vienna.BNB.429.b - named by Kaspersky.
• Vienna.Bnb.A virus - named by Eset.

>> Delete Beast automatically - Download Spyware Doctor

Beast Removal Instructions
Kill the following processes 92e56c9f.exe, 9d6680f5.exe, beast.exe, beast192.exe, beast2.00.exe, beast2.01.exe, beast2.06.exe, server.exe, hservms.exe, mshost.exe
Unregister the following DLLs and reboot dxdgns.dll in Windows\
Delete these registry entries HKEY_CLASSES_ROOT\.bad HKEY_CLASSES_ROOT\beastfile HKEY_CLASSES_ROOT\beastfile1 HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\com service HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{as096941-b967-10d8-9cbd-0000f87a369e}\stubpath
Remove the following files 92e56c9f.exe, 9d6680f5.exe, beast tutorial.pdf, beast.exe, beast192.exe, beast2.00.exe, beast2.01.exe, beast2.01_french_tuto.chm, beast2.06.exe, beastnbl.com, frenchtuto.doc, readme.nfo, readme.txt, server.exe, v-bnb-k.com. dxdgns.dll in Windows\ msaria.com, msdgqt.com, msdvnp.com, mshiye.com, msisai.com, msndxp.com, msocge.com, msqlxh.com, mswnqu.com in Windows\command\ hlir.blf, hservms.exe, kb.tlg, kd.txs, kl.dli, kl.tti, msbeku.com, msbwdr.com, msbxbs.com, mshlir.com, mshost.exe, msoksw.com, mspfgf.com, msqmqr.com, msujop.com, msyrmu.com, oksw.blf, shell32.com, ujop.blf, yrmu.blf in Windows\system\ comsv.com, mscom32.com in Windows\system\com\ wb.com, wsv.com in Windows\system\wbem\

Bookmark Beast page

Previous Spyware: Remove BearShare

Next Spyware: Remove Beast 1.7