Re: Backdoor.IRC.Flood.E & Backdoor.Dvldr

Just a few ideas, no guarantees. Have you deleted all of the indicated files from the system font and inf folders? Have you tried doing this from a boot to the CLI? (I don't see that in in the instructions for removing these specifying infections, but I've gotten in the habit:) Have you looked in win.ini for bogus run= entries? (same comment) Have you made sure that the user isn't reinfecting by downloading and executing the infected file again (are you on some email system that involves replication for an unprotected server?) Have you tried Housecall at Trend's site (or other online scanner) to confirm NAV results? Are there unprotected shares on other machines where this vermin can run and hide?

-Scott Miller

                                                                                                                           
                      "Curt Snow"                                                                                          
                                    cc:                                                                         
                                               Subject:  Backdoor.IRC.Flood.E & Backdoor.Dvldr                             
                      06/04/2003 09:54                                                                                     
                      AM                                                                                                   
                                                                                                                           
                                                                                                                           

I have a user who has been "infected" with the above two Trojans. They have both been a real hassle to try to remove from her machine. I spent close to an hour a couple nights ago cleaning up the Backdoor.IRC.Flood.E Trojan, deleting any and all references to it in the file system and the registry, only to have it reappear again this morning.

The Backdoor.Dvldr Trojan evades even being seen on the machine in the file system or in the registry, yet Norton continues to detect it.

I have followed all instructions on the Symantec web site for cleaning these up, but to no avail.

My biggest question at this point is "where do these Trojans get in... what is the method of infection? And of course how can I eradicate these things without resorting to a complete format and rebuild?

Any and all help would be appreciated.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek