Solved

Help in removing Trojan horse BackDoor.Afcore.AI

Posted on 2003-11-12
9
1,539 Views
Last Modified: 2013-12-04
I can't seem to remove the Trojan BackDoor.Afcore.AI.  I'm using AVG antivirus, TrojanHunter, Adaware.. and a few others.  The only one to find it is AVG.. but, only during boot up.

C:\WINDOWS\system32:infjgwk.dll.  I know it's in the system stream of NTFS.

I'm running Windows Server 2003 Standard with all service patches installed.

It does not load i'm gussing, since during boot, the pop-up from AVG Resident Shield says not.

But, it needs to go away!

Thanks,
M
0
Comment
Question by:MaxPalma
  • 3
  • 2
  • 2
9 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9732773
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9732782
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9732839
http://tinyurl.com/upwi

Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.

Infected message body text contains the following:


If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.

The backdoor registers itself into the system registry auto run key:


 HKLM\Software\Microsoft\Windows\CurrentVersion\Run (assigned name) =
 rundll32 (path to the backdoor program),(options)

The file name is formed from a combination of arbitrary symbols.

The backdoor program has several options that it can use:

 DebugBreakpoint
 DebugInit
 Init
 InitService
 SpawnedInit
 Uninstall

To remotely uninstall itself from victim machines the backdoor uses the following command:


 rundll32 ÄÉÓË:\%windir%\system32:(name of the backdoor.dll file),Uninstall

When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 9732880
0
 

Author Comment

by:MaxPalma
ID: 9732901
CrasyOne.. thanks for the help, I found that information, but it is really does not help in removing the Trojan.  There are about a dozen sites out there that have the same information.  If you notice at the bottom of the information about the Trojan, it talks about "stream it is necessary to use a special utility"... The question is, what is that "utility"?.

Remember we are talking about Windows Server 2003.. Most "utility" programs don't work for this version.. I know, cause I tried =)

Thanks,
M
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 500 total points
ID: 9732954
Yeah I noticed that to weird

http://www.helpdesk.umd.edu/virus/alerts/aflooder.shtml

Trojan Information:  Aflooder
A number of students have had their Windows systems compromised by this Trojan program, which apparently uses a vulnerability in Internet Explorer to install itself when you visit certain websites. Exact details about the origins of this program are not available, but this program is designed to allow hackers to take control of a compromised machine and possibly use it to send out spam.

Because this program uses a special technique to embed its active code into the structure of a folder (not as a file inside the folder, but as a part or property of the folder itself), it is unclear if any anti-virus software or tools currently available can remove this tool. Fortunately, the trojan can be removed manually if you carefully follow the steps listed below. These steps involve using the Registry Editor utility in Windows--if you are unfamiliar with the Registry Editor, you may want to consult the Help Desk web page on using the Registry Editor:

Click on the Start button on your desktop, go to Run, type in regedit and click OK.

The Registry Editor window will open. Navigate to the following registry folder: HKEY_Local_Machine\Software\Micrsoft\Windows\CurrentVersion\Run (You do this by clicking on the "+" sign next to the Hkey Local Machine folder, then the "+" sign next to Software, then Microsoft, then Windows, then Current Version, and then click on the actual Run folder).

In the Run folder, you will see a number of entries for programs that are started automatically when Windows starts. Look for an entry that looks like this:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1

The xxxxxxx.dll could be any set of letters and numbers ending with ".dll", as this trojan creates this filename randomly. Write down the exact name of this filename.

Leave the Registry Editor window open exactly where it is, but click on the Start button again, and again choose Run.

In the Run text box, type in the following command (replacing xxxxxxx.dll with the filename you wrote down in step 3):

rundll32 C:\Windows\system32:xxxxxxx.dll,Uninstall

This command is case sensitive, so all of the letters in the command and file name must match.

Click the OK button. You should see a window indicating that Aflooder (or AF) is being uninstalled (if there is an OK button to click to proceed, click it).

When it seems that the uninstall has finished, click back on the Registry Editor window. It should still be displaying the contents of the Run folder as it was in step 3. Hit the F5 key on your keyboard to refresh the contents of that Run folder. You may see that the entry you saw in step 3 has disappeared now that the uninstall has taken place. If it has not, click once on that entry:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1

...to highlight it, then hit the Delete key on your keyboard to delete it. If you are asked if you are sure you want to do this, choose Yes.

Close the Registry Editor window, and reboot your computer. Aflooder should now be removed.

Trend Micro, an anti-virus software vendor, claims that you can avoid being re-infected with this trojan by installing the following Internet Explorer security patch: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp. We suggest that you download and install that patch, as it may indeed prevent re-infection.

If Aflooder changed your Internet Explorer home page to www.surferbar.com, make sure to change it back to normal. The home page setting for Internet Explorer can be found by clicking on Tools on the menu bar, then Internet Options.
0
 

Author Comment

by:MaxPalma
ID: 9733867
CrazyOne... thanks, i must have missed that website for info.. but there is the question of the name is close and the information seems to be the same.  But this is "Afcore.AI"... and seems to be a variant of the BackDoor virus.  I'm a bit nervous about going into the registery and/or having the Trojan "un-install" itself.  What if this causes it to replicate or destroy the file system that it has embeded itself into deeply.

You're input is greatly valued!!

M
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now