unknown virus / backdoor trojan for IRC
Posted on 2004-11-04
i have discovered a viurs/backdoor trojan which i cannot find a resolution for. i have pieces of the virus, but not the entire puzzle to clean the infected machines. i have searched google, symantec, etc. for the process name (avirun.exe) but it was prob mutated. here is what i have:
on windows 2000 and XP boxes i found a process that runs called avirun.exe. when it runs it makes the computer unable to accept connections mainly because the virus is opening the box to an IRC channel. i have to reboot inorder to delete the avirun.exe, but first i have to delete all the "MSConfig" = "avirun.exe" out of the registry keys (and there are quit a few). however, this prcoess comes back. i then found a file, named simply as "o" which is displayed below. it looks as if this file FTP's the avirun.exe from another infected machine. even if i delete all the entries, the avirun.exe and the o file, it still comes back. making me think that it spreads via a Windows exploit. i could not find any file (i checked recently mofied files) that is a batch that would call the o file to download the .exe or any other executables in the regedit Run's. it looks like the Backdoor.Hacarmy.E trojan, except that it keeps coming back.
has anyone seen this? if so, is there a removal tool. i think if you fully patch the OS and delete all parts, it will stay away, but i need to be able to get rid of it on unpatched systems to stop the spread.
FYI, a full symantec scan via the Internet or newest def's come up clean.
open [ip address] [port]
user 1 1