Ghostadmin, also known as Backdoor.GhostAdmin, is a dangerous threat used by cyber criminals to record all kinds of details about users and spread malicious software. It has been discovered by malware analysts recently (on the 17th of January, 2017) and it has managed to affect only a small number of users as of now. Unfortunately, it seems that two of these victims are big companies storing hundreds of gigabytes of extremely valuable information on their computers. It is just a start, according to experienced specialists specializing in cyber security. It is because Ghostadmin seems to be a reworked version of well-known malware CrimeScene which was prevalent several years ago. Just like this old threat it is based on, this backdoor sneaks onto computers unnoticed and immediately launches to perform its evil activities, meaning that computer users usually do not know anything about the presence of this dangerous threat. It is usually too late when they find out that it is active on their systems – it has installed malware without permission and stolen a great deal of personal information. If you are reading this article because you suspect that Ghostadmin is performing activities on your computer too, take action to find out whether or not it is true as soon as possible. In case your suspicions are confirmed, go to delete this backdoor immediately!
Once Ghostadmin successfully infiltrates computers, it immediately creates a folder GhostAdmin in %PUBLIC%. It contains the malicious file called taskhost.exe. It seems that it is the main file of this threat. Also, it creates a folder Roamingghostadmin in %APPDATA% as well. It contains a file logfile.lst which contains all logged keystrokes. Last but not least, if there are any sounds recorded, audio files can be found in %PUBLIC%\audio. Users who are not sure whether or not they have encountered Ghostadmin should try to find the folder GhostAdmin with the malicious file in %PUBLIC%. If it is there, there are no doubts that this threat is installed and active on the system. In this case, it should be erased as soon as possible because this IRC Bot is capable of issuing a number of different commands so that it could record information easily and do other activities, e.g. download and install malware.
This backdoor starts working on computers by establishing a communication channel with its C&C (Command & Control) server, which is known to be an IRC channel. Then, it gives commands to all infected computers, for example, it can browse specific URLs, take screenshots, record audio, interact with local databases, kill various processes, get an IP address, turn on/off computers, disable a mouse and a keyboard, and enable remote connections to the affected computer. It is definitely not a full list of commands it can issue. Ghostadmin will not change the way it acts, but users can still put an end to all these activities performed by it by fully removing this threat from their systems. It is an extremely dangerous threat, but, luckily, it should be possible to delete it manually. Let’s find out how it is distributed and then we will talk about the deletion procedure.
Malicious applications are usually disseminated using various dishonest methods, and they tend to show up on computers illegally. Ghostadmin is no exception, but, as has been found by specialists working at 411-spyware.com, users contribute to the entrance of this malicious application by downloading a malicious attachment from an email they receive. In most cases, this attachment travels in spam emails. Users should stay away from them in the future. Of course, this might not help to prevent malicious software from entering the computer, so it is a must to install a security application on the system as well. As long as it is installed and enabled, malware will have no possibilities to enter the computer.
As for the removal of Ghostadmin, this backdoor can be erased either manually or automatically. Users who make a decision to erase it manually should delete two folders of GhostAdmin from %PUBLIC% and Roamingghostadmin from %APPDATA%. This can, of course, be done automatically as well. Actually, it would be smart to perform the full system scan with a reputable antimalware tool because other threats could have been installed alongside Ghostadmin. Also, there is a possibility that this backdoor has already downloaded and installed malware without a user’s consent as well.