Parasite: RapidBlaster

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

RapidBlaster is a task run on Windows startup. When an internet connection is present it periodically connects to its servers to fetch advertising.

Variants

RapidBlaster/v1 is the original version. RapidBlaster/lp is an update using a slightly different names. (’rb32 lptt01’.)

RapidBlaster/Rnd is an update which uses pseudo-random filenames which it fetches from its controlling server www.rapidblaster.com. If it fails to contact its server it will just use ‘RapidBlaster\rb32.exe’ as with older variants. If you remove it, it will reinstall itself using a new name. Filenames seen so far include:

RapidBlaster/AInst is an ActiveX installer used to load v1 or lp.

Also known as

rb32, after its original executable name.

Distribution

ActiveX drive-by download on affiliate pages, including misleading download links (eg. ‘megamovieblaster’) and pop-ups.

Also installed by the ISTBar parasite; the script at this site cannot detect RapidBlaster if installed this way.

What it does

Advertising

Yes, typically pop-ups for porn sites.

Privacy violation

Suspected: the privacy policy at the RapidBlaster site states cookies are used to profile the user’s interests. I have observed no such behaviour from the software at the time of writing.

Security issues

Yes. Can download and execute arbitrary unsigned code pointed to by its controlling servers. Is known to install diallers such as DialerOffline.

RapidBlaster/AInst, if not removed, can also allow any web page to silently reinstall RapidBlaster.

Stability problems

None known.

Removal

Use the Control Panel’s Add/Remove Programs entry for ‘RapidBlaster’ (v1 variant) or ‘rb32 lptt01’ (lp variant). For the Rnd variant, manual removal must be used.

To remove the AInst variant installer, go to the Downloaded Program Files folder inside the Windows folder, right-click the ‘AInst’ item and ‘Remove’ it.

After restarting, you can clear up by deleting the ‘RapidBlaster’ folder inside Program Files, and deleting the key ‘HKEY_LOCAL_MACHINE\Software\RapidBlaster’ from the registry (Start->Run->regedit).

JavaCool’s RBKiller is a specific tool to completely remove RapidBlaster, including the Rnd variant. Spybot Search&Destroy and Ad-Aware should also be able to remove other RapidBlaster variants.

Manual removal

First, open the Task Manager (press Ctrl+Alt+Delete). Find the RapidBlaster program (rb32.exe, or, in the Rnd variant, any one of the above filenames — some are quite similar to normal Windows program names, so be careful). Click on this process name to select it then click ‘End process’ and confirm.

Now open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’). Find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the ‘Something lptt01’ entry on the right. ‘Something’ will be the same as the filename of the RapidBlaster program - you can now delete the folder containing this.