Trojan Horse programs are able to hide themselves from being detected
after installing themselves into your computer generally without your knowledge sometimes using similar methods to spyware, but usually harder to fully detect.
Trojan horses are among the most dangerous threats to your computer files
and your confidential information such as your passwords,
credit card data and personal security.
Once a Trojan program is installed on your computer its allows full access to hackers.
The same Trojan can be used secretly by many hackers.
It?s not just one Trojan to one hacker.
It?s one Trojan to many hackers.
A Trojan on your computer can let a hacker view, copy or erase any folder
and any file on your computer just as though he or she were sitting
at your computer using its keyboard and mouse.
Any file on your computer can also be sent to any e-mail address
or posted on the Internet.
There are many ways a system can be infected with a Trojan and because
a Trojan is not the same as a virus (a self-replicating program segment)
it is not always detected by anti-virus software.
Trojans are often installed by a virus or worm that is programmed to open a backdoor into your computer,
sometimes to join in DDoS atacks against other computers, other trojans can be added to popular programs and released
out to newsgroups and p2p networks especially in the hopes of infecting new hosts.
Trojan Horse explanation:
- http://www.viruslist.com/eng/viruslist.html?id=13
complete windows Trojan paper : 24/10/02
- http://www.infosecwriters.com/texts.php?...play&id=58
- Malware: Fighting Malicious Code -
sample Chapters : [ Great Information - Essential reading ]
http://www.informit.com/articles/article...1&seqNum=1
http://www.informit.com/articles/article...1&seqNum=2
http://www.informit.com/articles/article...1&seqNum=3
Trojan Horse Attacks:
http://www.irchelp.org/irchelp/security/trojan.html
Many Bots scan for victims of other Trojans such as SubSeven.
This has two distinct advantages for the hacker.
Firstly they can scan a lot of class C blocks without scanning
themselves or wasting their own bandwidth to do so and secondly
they can get their Bot onto already Trojan infected machines on
the premise that if the owner did not know they had one Trojan
that is detectable by nearly all Anti Trojan/Virus applications
then they certainly won't know they have another that is undetectable
by signature by all of these applications.
This to a large degree is why we use Generics as a second layer of
defense against unknown Trojans.
The SubSeven scan yields victims on default ports and also exploits
the old SubSeven master password which works on all
SubSeven 2.* versions upto and not including SubSeven 2.1.3 Bonus.
Once a victim has been found and logged into using the command
to update from the web is sent. Once received SubSeven will download
the new file and run it and then remove itself.
SubSeven trojan was made to improve upon the design of NetBus.
It has 'improved' NetBus so much now that this is a Very deadly trojan
that can be very damaging and quite hard to remove.
The best way to tell what version of SubSeven you are infected with
is by running an updated AntiVirus program and a Anti-Trojan Scanner.
Next best is to check this Which Version page.
- http://www.hackfix.org/subseven/
- http://www.norman.com/virus_info/subseve...jan.shtml/
- A Remote Administration Tool, or RAT, is a Trojan that when run,
provides an attacker with the capability of remotely controlling
a machine via a "client" in the attacker's machine,
and a "server" in the victim's machine.
The server in the victim "serves" incoming connections to the victim,
and runs invisibly with no user interface.
The client is a GUI front-end that the attacker uses to connect
to victim servers and "manage" those machines.
Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack.
What happens when a server is installed in a victim's machine depends on the
capabilities of the trojan, the interests of the attacker, and whether or not
control of the server is ever gained by another attacker -
- who might have entirely different interests.
Infections by remote administration Trojans on
Windows machines are becoming as frequent as viruses.
REMOTE ACCESS TROJANS
- http://pestpatrol.com/Support/About/About_Rats.asp
- A Backdoor is a program that opens secret access to systems, and is often used to bypass system security.
- A Backdoor program does not infect other host files, but nearly all Backdoor programs make registry modifications.
The Enemy Within: Firewalls and Backdoors :
- http://www.securityfocus.com/infocus/1701
DLL Trojans and other:
- http://home.arcor.de/scheinsicherheit/introduction.htm
- http://securityresponse.symantec.com/avc...anits.html
--------------------------------------------------------------------------------------------------
Most known Trojan horses are programs, which "imitate" some other useful programs, new versions of popular utility software or software updates for them.
Very often, they are sent to BBS stations or Usenet groups.
In comparison with viruses, Trojan horses are not widely spread.
The reason for this is quite simple: they either destroy themselves together with the rest of the data on disks, or unmask their presence and are deleted by victimized users.
Virus "droppers" may also be considered Trojan horses.
They are files infected in such way that known anti-viruses do not determine virus presence in the file.
For example, a file is encrypted in some special way or packed by a rarely used archiver, preventing an anti-virus from "seeing" the infection.
Hoaxes are also worth mentioning.
These are programs that do not cause any direct harm to computers, but, rather,
display messages falsely stating that harm has already been done,
or will be done under some circumstances; or these hoaxes warn a user about some kind of non-existent danger.
Hoaxes are, for example, programs which "scare" a user with a message about disk formatting (although no formatting actually takes place); detect viruses in uninfected files; display strange virus-like messages (CMD640X disk driver from some commercial software packages); etc.
All of this depends on the author's sense of humor.
Apparently, the string "CHOLEEPA" in the second sector of Seagate hard disks is also a hoax.
Purposely false messages about new super viruses also fall into the category of hoaxes.
Such messages appear in newsgroups from time to time, and usually create panic among users.
http://www.viruslist.com/eng/viruslistbooks.html?id=64
-------------------------------------------------------------------------------------------------------------------------------
These sites below will help direct you to the best places to search for hidden trojans/spyware:
Auto Start checklist - best places to check:
http://www.cknow.com/ckinfo/def_a/autostart.shtml
################################
:: BHO Lists / Start Up lists / Process Libraries ::
################################
- http://www.generation.net/~hleboeuf/bho_a_d.htm
- http://www.sysinfo.org/bholist.php
- http://computercops.biz/CLSID.html
- http://computercops.biz/LSPs.html
- http://computercops.biz/StartupList.html
- http://computercops.biz/software.html
- http://www.windowsstartup.com/wso/search.php
- http://www.sysinfo.org/startuplist.php
- http://www.rockymountain.com/ref_startup.htm
- http://www.allsecpros.com/startuplist.html
- http://members.shaw.ca/austin.powers/
- http://www.3feetunder.com/krick/startup/list.html
- http://www.michaelpreslar.com/sysinfo/startupinfo.html
- http://www.neuber.com/taskmanager/process/index.html
- http://www.reger24.de/processes.php
- http://www.answersthatwork.com/Tasklist_...sklist.htm
- http://www.pacs-portal.co.uk/startup_index.htm
- http://www.pacs-portal.co.uk/startup_pag...up_all.php
- http://www.processlibrary.com/
- http://www.liutilities.com/products/wint...sslibrary/
- http://www.liutilities.com/products/wint...ry/system/
- http://www.liutilities.com/products/wint.../security/
-Windows XP Home and Professional Tasks and Services:
- http://www.blkviper.com/WinXP/servicecfg.htm
- http://www.blkviper.com/index.html
Anti Trojan guides and links...
- https://netfiles.uiuc.edu/ehowes/www/info10.htm
- http://radified.com/Articles/trojan.htm
- http://www.net-security.org/dl/articles/...rojans.txt
Reverse Engineering Hostile Code:
- http://www.securityfocus.com/infocus/1637
Merijns Sub 7 trojan Removal Guide
http://www.bluetack.co.uk/forums/index.p...opic=13340
Masters Of Paradise Trojan Removal guides:
http://www.hackfix.org/miscfix/mp.shtml
http://www.pestpatrol.com/PestInfo/m/mas...radise.asp
Sophos Guide to removing Trojans:
1. Removing Trojans in Windows 95/98/Me
2. Removing Trojans in Windows NT/2000/XP/2003
3. Removing Trojans on Macintosh computers
4. Removing Trojans in DOS
5. Removing Trojans in OS/2
6. Removing Trojans in NetWare
7. Removing Trojans in Unix
8. Removing Trojans in OpenVMS
http://www.sophos.com/support/disinfection/trojan.html
---------------------------------------------------------------------------------------------------
If BO is running, it takes mere seconds for an intruder to access
all cached passwords and view most of your system's vital statistics.
He may have all he wants in moments and be gone.
You almost certainly wouldn't notice and there is absolutely nothing you could do.
Back Orifice Removal Guide:
http://www.pchell.com/internet/boserve.shtml
Detailed info on tracking and removing The Back Orifice "Backdoor" Program:
- http://www.nwinternet.com/~pchelp/bo/bo.html
A look into the Back Orifice Trojan:
- http://www.windowsecurity.com/articles/T...rimer.html
----------------------------------------------------------------------------------------------------
A good method of discovering trojan infections is by identifying which virtual ports (there are 65535) are open and in use on your computer.
If you use a antivirus and personal firewall then you have a better chance of detecting and then blocking an unknown trojan from making outbound connections.
There are many programs to monitor for open ports, I mainly rely on TCPView or Outpost firewall to view which ports are listening and operating.
you can also use the builtin windows netstat utility from a command prompt to view the open ports and connections by going to :
- start -> run -> [ type ] cmd.exe [ win2000/xp] or command.exe [ win98/ME] .. then in the command prompt window type - netstat -an
Only a firewall can be set up to block outbound unauthorized traffic from your computer and without one running a trojan can give full access to and from your computer to anyone that manages to locate it with an automated scan or to the person who originally released it.
XP SP2 / ICF firewall will not protect you from Trojans/Malware making outbound connections once they are on your system
Some trojans are able to get through your firewall though, by using DLL / Process injection and other technical methods displayed at the firewall leak testing site:
http://www.firewallleaktester.com
An example:
New Trojan beats firewalls [2003]:
Quote:
A malevolent program capable of using a browser to transmit and receive data secretly across a firewall was demonstrated at the DefCon security conference in the US earlier this year.
Once connected through the browser, the hacker can plant applications to allow activities such as recording
key strokes on the host machine or can access and download files.
Security experts attending DefCon in Las Vegas said the demonstration of Setiri has confirmed their fears that the next step in hacking technology will bypass firewall detection
- http://www.computercops.biz/article1321.html
-continued in 2nd post @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
:: PORTS ::
The port lists below have listed default trojan ports, which the trojan program is designed to listen and operate on, keep in mind that any trojan may be altered to operate on other ports as well, and that activity on a known trojan port may be a false positive and a genuine connection.
Firewalls cannot tell whether the traffic is malicious or harmless , only that it is operating on a known trojan port.
Be suspicious of any connections that you aren't sure about , but don't completely panic if you suddenly notice something that shouldn't be running or is connected to the internet without your authorization. Just be prepared , and if need be , disconnect from the internet if you suspect your are being hacked.
Trojans are not able to infect your computer any further like viruses or worms, but they can often be the result of a virus or worm infection planting a backdoor on your system.
NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.
In their default configurations, the following trojans use:
Back Orifice - UDP port 31337 or 31338
Deep Throat - UDP port 2140 and 3150
NetBus - TCP port 12345 and 12346
Whack-a-mole - TCP port 12361 and 12362
NetBus 2 Pro - TCP port 20034
GirlFriend - TCP port 21544
Sockets de Troie - TCP port 5000, 5001 or 50505
Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426
Devil - port 65000
Evil FTP - port 23456
GateCrasher - port 6969
Hackers Paradise - port 456
ICKiller - port 7789
ICQTrojan - port 4590
Phineas Phucker - port 2801
Remote Grab - port 7000
Remote Windows Shutdown - port 53001
http://www.cybercity-online.net/Trojan.html
--------------------------------------------------------------------------------------------------------
Quote:
One of the most frequently fielded questions among security analysts is, "Do I have a Trojan-horse program if I've found a port open on my computer?"
Variations of this question litter security mailing lists, but the answer is always the same: Trace the port number to the program that's opening the port, and investigate the program.
The process of tracing an open port to its causative agent is called port enumeration (or port mapping). Of course, the answer assumes that you have an adequate understanding of port numbers, a good port-enumeration tool, and the ability to research whether the found program is malicious.
Let's take a look at port enumeration in general, then review 11 Windows port enumerators.
Top Port Monitoring Tools :
http://www.winnetmag.com/Articles/Articl...g/1/1.html
Ultimate Trojan Ports List
http://www.bluetack.co.uk/forums/index.p...wtopic=777
-------------------------------------------------------------------------------------------
The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535
- http://www.iana.org/assignments/port-numbers
Use this PORT LOOKUP PAGE or download your own copy:
- http://lists.gpick.com/portlist/lookup.asp
For a complete listing of assigned ports and numbers ;
- http://www.networksorcery.com/enp/protoc...s00000.htm
Trojan ports list:
- http://www.glocksoft.com/trojan_port.htm
This excellent Port Reference website also provides their handy tool available for download as a Windows HTML Help (.chm) file.
Direct DOWNLOAD your own copy now or use the ONLINE PAGE to find what services and trojans operate on each port.
immediately useful for doublechecking port connections from the results in your firewall..
Updated regularly
Block known trojan ports:
- http://www.doshelp.com/trojanports.htm
Ports descriptions and services:
- http://www.portsdb.org/bin/portsdb.cgi
Giant Port List:
- http://keir.net/portlist.html
ONCTek has compiled a list of known Trojan/Backdoors and the TCP/UDP ports on which they operate
The list should not be considered complete, nor should all activity on these ports be considered suspect:
- http://www.onctek.com/trojanports.html
Known Ports 0-1023:
- http://www.onctek.com/known_ports.txt
Known registered ports:
The Registered Ports are in the range 1024-49151.
- http://www.onctek.com/registered_ports.txt
------------------------------------------------------------------------------------------------------------------------
Analysis of the BioNet Trojan:
- http://www.misec.net/bionet312analysis.jsp
-computer trojan horses:
- http://www.infosecwriters.com/texts.php?...play&id=39
Trojan search results;
- http://www.computercops.biz/modules.php?...h&topic=24
Google directory on Security/Anti-Trojans/Malicious Software:
- http://directory.google.com/Top/Computers/Security/
- http://directory.google.com/Top/Computer..._Software/
=======================================================================
:: PREVENTION IS BETTER THAN A CURE ::
-------------------------------------------------------------------------------------------------------------------------------
The same programs I use for protection against spyware also work well
against any trojans that attempt to execute , install themselves to auto run by modifying the registry or add themselves as system services etc..
I mainly rely on these for my protection :
- Outpost Pro/Blockpost - Firewall
- Processguard - Kernal mode protection and process termination protection
- SSM / System Safety Monitor - Dll injection protection and more
- RegrunGold - Heavy duty registry / file and full system protection and lots more
- Spywall - Internet explorer browser firewall
- Winpatrol - Lightweight Registry/system monitor
- TDS-3 - Trojan Defence Suite [ discontinued ]
- Wormguard- Worm and script protection
- Goback - Advanced system restore
- Commview - Packet sniffer
Bluetack Hosts file & Hosts File manager:
http://www.bluetack.co.uk/forums/index.p...wforum=125
Applications that have well worked for me in detecting or stopping trojans from installing to begin with:
ProcessGuard
http://www.diamondcs.com.au/
System Safety Monitor
http://syssafety.com/
Winpatrol
- http://www.winpatrol.com
Also my favorite program for monitoring changes to your system and giving you complete control over any changes before windows even boots up , plus system file protection and more is : REGRUN GOLD.
- http://www.wilderssecurity.com/regrungold.html
REGRUN Security Suite
- http://www.greatis.com/security/download.htm
- http://www.greatis.com/security/detail.htm
Outpost firewall
- http://www.agnitum.com
Outpost offers various protections against malicious software , spyware realtime monitor and spyware scanner based on their Tauscan trojan remover engine , also includes component control , hidden process control , and Blockpost - IP blocker [for importing Bluetack spyware blocklist Thumb Up ]
=======================================================================
-continued in 3rd post ANTI-TROJAN PROGRAMS / TOOLS
- Well since Trojan Defence Suite (TDS-3) has now been discontinued Sad , the next best alternatives are included here:
- Ewido - no longer exists ; bought by AVG, now known as AVG antispyware
- http://www.ewido.net/en/?section=ess
- BoClean - bought by Comodo
- http://www.nsclean.com/boclean.html
- TROJANHUNTER -
- http://www.misec.net/trojanhunter/
- The Cleaner -
- http://www.moosoft.com/
- A² Trojan Scanner -
- http://www.emsisoft.com/en/
Quote:
a² personal is primarily a Trojan scanner and remover. But beside Trojan Horses and Backdoors, it also detects other harmful software like Worm-Virurses, Dialer and other dangerous tools which are used by attackers to spy your files. The advanced background guard gives harmful programs no chance to get on your PC. As from now you have the full control over all active programs and their rights on your computer.
- http://www.spywarewarrior.com/uiuc/soft5.htm
- http://www.wilders.org/anti_trojans.htm
- http://www.computercops.biz/downloads-cat-6.html
ANTI-TROJAN forums:
http://forum.misec.net/ - Trojanhunter -
http://www.wilderssecurity.com/index.php?board=5
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Kaspersky Antivirus and Avast , while not trojan scanners , work extremely well at detecting trojans and has powerful scanning features for detecting malicious files inside packed files , which many other antivirus programs miss.
http://www.kaspersky.com
DiamondCS ProcessGuard also needs mentioning..
While not a specific trojan scanner , it will prevent the installation of trojans , rootkits and rogue applications from disabling your security software..
Quote:
DiamondCS ProcessGuard protects Windows processes from attacks by other processes, services, drivers, and other forms of executing code on your system. ProcessGuard also stops applications from executing without the users consent, stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. ProcessGuard even stops most keyloggers and leaktests, and is recognised by many to be the most comprehensive anti-rootkit solution available.
Download from here :
http://www.diamondcs.com.au/processguard/
A good firewall is also essential , which is why I recommend Outpost Pro.
Tiny Firewall Pro also has some very advanced features for locking down your system if you have time and the knowledge to configure it securely.
-----------------------------------------------------
- Free Tools that can help in Detecting Trojans:
-----------------------------------------------------
-Process Explorer-
-TcpView-
-Filemon-
-Portmon-
-Tdimon-
-Filemap-
* yes theres more...
http://www.sysinternals.com/
http://www.sysinternals.com/ntw2k/freewa...cexp.shtml
http://www.wilders.org/free_tools.htm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- Anti-trojan program Comparison by Agnitum with their Tauscan trojan scanner:
http://www.agnitum.com/products/tauscan/compare.html
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
GFI TrojanScan :
Is your system infected by Trojans?
Trojan horses are a huge security threat.
A Trojan is a program that can easily enter your computer undetected,
giving the attacker who planted the Trojan unrestricted access to the
data stored on your computer.
Trojans can transmit credit card information and other confidential data in the background.
Trojans are often not caught by virus scanning engines, because these are focused on viruses, not Trojans.
Catching such threats would require the use of a Trojan scanner
(a.k.a Trojan cleaner, Trojan remover, anti-Trojan).
- http://www.trojanscan.com/
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
* For advanced users *
- Back Officer Download -
- http://www.nfr.com/resource/backOfficer.php
Free - Back Officer Friendly "honeypot" attracts and traps attackers
Known as a "honey pot" for its ability to attract and trap hackers,
Back Officer Friendly (BOF) is a popular free download available exclusively from NFR Security, Inc.
Back Officer Friendly was originally created to detect when anyone attempts a Back Orifice scan against your computer.
It has since evolved to detect attempted connections to other services, such Telnet, FTP, SMTP, POP3 and IMAP2.
When BOF receives a connection to one of these services,
it will fake replies to the hopeful hacker, wasting the attacker's time,
and giving you time to stop them from other mischief.
you will need to fill in a form and a link will be sent to you via email to download the program.
==========================================
Sysinternals ProcessExplorer can also be used for a replacement task manager , especially handy if the windows taskmanager is hijacked or damaged.
You can still remove it all yourself with out buying anything really , you just have to know what your doing , and know what to dig out and whre to dig it out from ..
The programs such as these can make removal a bit easier Very Happy
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
---------------------------------------------------------------------
Alternate Data Streams:
---------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
NTFS has alternative data streams, which means that information can be hidden in your HDD without your knowledge or permission.
One way to use alternative data streams is to put a trojan horse in your computer and hide it in alternative data streams.
This could be a serious security issue.
Only ways to find out what alternative datastreams there are, is to download and use programs like TDS-3 , S-Find , ADS spy and others ..
Why is ADS a security risk?
The primary reason why ADS is a security risk is because streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot on a file system - something trojans can and will take advantage of.
Streams can easily be created/written to/read from, allowing any trojan or virus author to take advantage of a hidden file area.
But while streams can easily be used, they can only be detected with specialist software.
Programs such as Explorer can view normal parent files, but they can't see streams linked to such files, nor can they determine how much diskspace is being used by streams.
Because ADS is virtually unknown to many developers,
there are very few security programs available that are ADS-aware.
As such, if a virus implants itself into an ADS stream,
your anti-virus software will probably not be able to detect it.
In addition, streams cannot be deleted - to delete a stream you must delete its parent.
Streams are of particular importance to law enforcement agencies as important data
can sometimes be hidden in these covert file system channels.
Why does NTFS support streams?
The main (but not only) reason is for Macintosh file support.
Files stored on the Macintosh file system consist of two parts (known as forks) - one data fork, and one resource fork. Windows relies on the extension of the file (eg. ".exe") in order to determine which program should be associated with that file.
Macintosh files use the resource fork to do this.
NT stores Macintosh resource forks in a hidden NTFS stream,
with the data fork becoming the main parent file to the stream.
ADS has other uses.
As just one example, you could store a thumbnail image of a picture in a stream and even an audio track,
allowing a single file to have several multimedia components.
Some anti-virus programs store checksums in a stream under every file on your disk.
More info on Alternate Data Streams :
http://www.bleepingcomputer.com/forums/i...utorial=25
http://www.windowsecurity.com/articles/A...reams.html
http://www.diamondcs.com.au/index.php?pa...fs-streams
ADS scanning Programs :
TDS-3 - http://tds.diamondcs.com.au
Lads - http://www.heysoft.de/Frames/f_sw_la_en.htm
CrucialADS - http://www.crucialsecurity.com/downloads.html
--
ADS Spy
Freeware
Operating System: XP/2000/2003/NT
http://www.bleepingcomputer.com/files/adsspy.php
Ads Spy is a tool used to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems.
ADS is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4.
Recently browser hijackers began using this technique to store hidden information on the system, and even store trojan executable files in ADS streams of random files on the system. Use with caution.
---
you can get Foundstones S-FIND from;
http://www.foundstone.com/knowledge/prod...olkit.html
========================================================
-continued in 4th post ======================================
The following example is the results of a old browser hijack , which also installed a subseven trojan, recorded in early 2003.
It was blocked by Outpost and later killed by me Twisted Evil . Winpatrol detected it atempting to install itself into the auto run registry key.
-two .exe files were created upon infection:
- msrexe.exe and msdos.exe :
--------------------------------------------
C:\WINDOWS\System32\msrexe.exe
C:\Msdos.exe
Default trojan filename: RAT.AlexMessoMalex
UPX0 2576384 UXRW 00000000
UPX1 32768 DXRW bd57383b
UPX2 4096 DRW 273d1722
RegEnumKeyA
ExitProcess
GetProcAddress
LoadLibraryA
PostQuitMessage
Ordinal 115
--------------------------------------------------------------
Outbound connection was blocked by using Outpost firewall Pro V1 in block most mode , which denied the trojan access to the internet since there were no rules allowing it.
66.150.0.159-ortv098.hypermart.net#(bo.trojanhorse-03) 66.150.0.0-66.150.3.255,InfoSpace-Go2net#(trojan-f**kers-03)
Block All Activity MSREXE.EXE TCP 2271 n/a Unknown 0*/00/2003 1:36:30 AM ortv098.hypermart.net *.*.*.*
Block All Activity MSREXE.EXE TCP 1278 n/a Unknown 0*/00/2003 11:30:30 PM ortv098.hypermart.net *.*.*.*
Block All Activity MSREXE.EXE TCP 1294 n/a Unknown 0*/00/2003 4:36:30 PM ortv098.hypermart.net *.*.*.*
Block All Activity MSREXE.EXE TCP 1202 n/a Unknown 0*/00/2003 4:21:30 PM ortv098.hypermart.net *.*.*.*
It was running for a little while , I was a bit too busy with other things to take care of it Very Happy
----------------------------------------------------------------------------------------------------------------------
Ok , the fact is every antivirus company likes to use a different name from their competition just because they can Razz , its a competition after all and the majority are in business for themselves to make money, not to make it easy for people ..
Luckily there are companies however that do provide an enormous amount or research and support for people , not just for their customers.
However , you can get very confusing information when the same Trojan or Virus has six different aliases Rolling Eyes , and its the users problem to try and work it all out not any of the companies.
so this is Symantec's version of the trojan name.. because I used NAV* at that time .. [ *Norton Antivirus] [ since then I have switched to Kaspersky , and now I use NOD 32 ]
alias:
Backdoor.Jeem
From sysinternals process explorer :
\BaseNamedObjects\Jeem.p
Modules used by the process msrexe.exe running on the computer KonTr0L , using Wintasks Pro:
Name Executable
ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll
apitrap.dll C:\WINDOWS\System32\apitrap.dll
DNSAPI.dll C:\WINDOWS\System32\DNSAPI.dll
GDI32.dll C:\WINDOWS\system32\GDI32.dll
iphlpapi.dll C:\WINDOWS\System32\iphlpapi.dll
kernel32.dll C:\WINDOWS\system32\kernel32.dll
msvcrt.dll C:\WINDOWS\system32\msvcrt.dll
mswsock.dll C:\WINDOWS\system32\mswsock.dll
ntdll.dll C:\WINDOWS\System32\ntdll.dll
psapi.dll C:\WINDOWS\System32\psapi.dll
rasadhlp.dll C:\WINDOWS\System32\rasadhlp.dll
RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll
USER32.dll C:\WINDOWS\system32\USER32.dll
winrnr.dll C:\WINDOWS\System32\winrnr.dll
WLDAP32.dll C:\WINDOWS\system32\WLDAP32.dll
WS2_32.dll C:\WINDOWS\System32\WS2_32.dll
WS2HELP.dll C:\WINDOWS\System32\WS2HELP.dll
wshtcpip.dll C:\WINDOWS\System32\wshtcpip.dll
WSOCK32.dll C:\WINDOWS\System32\WSOCK32.dll
----------------------------------------------------------------------------------
SubSeven v2.1
Msrexe.exe
SubSeven v2.1 can use four different methods to load itself.
It can use one or more of the methods mention below.
To remove check all the alternatives below:
Open c:\windows\win.ini and look for the lines; run=MSREXE.exe load=MSREXE.exe
Delete 'MSREXE.exe' from these lines.
Open c:\windows\system.ini.
Replace the line; shell = Explorer.exe MSREXE.exe with shell = Explorer.exe
Run regedit.exe
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices
Delete any keys with the value; 'MSREXE.exe'
Run Regedit.exe
Go to
HKEY_CLASSES_ROOT\exefile\shell\open\command
If the trojan use this method to load itself, the value in this key will typically be"WINDOS \"%1\" %*"
Replace this value with; "\"%1\" %*" (by simply removing WINDOS from the beginning of the line.)
By using this method, SubSeven trojan will be loaded into memory every time any .exe file is loaded.
A side effect of this is, if you delete the trojan (i.e WINDOS.exe) Windows will not be able to run any .exe program.
Reboot the computer and delete all infected files.