backdoor flood

Discussion in 'malware problems & news' started by T Boy, Nov 5, 2002.

Thread Status:
Not open for further replies.
  1. T Boy

    T Boy Registered Member

    Joined:
    Nov 5, 2002
    Posts:
    3
    Location:
    Vancouver BC
    I have a backdoor flood virus with the file "WHVLXD" I delete it and it's back on startup . an Idea's o_O
     
  2. cnm

    cnm Spyware Expert

    Joined:
    Oct 18, 2002
    Posts:
    39
    Location:
    Sunnyvale, CA
    What antivirus and antitrojan programs do you have? Won't either of them remove it?
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
  4. controler

    controler Guest

    Are you using an OS like Windows ME or XP with restore turned on?
    The file maybe appears to the OS to be a system file and therefore
    is restored on boot. If it is really a trojan and not a system file, try turning off restore.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi controler,

    Excuse my butting in like this, but I'm not sure what you mean. I was under the impression System Restore files only became active when the user chooses to go back to an older system state. This can be compared to re-installing a registry backup.
    Did you mean another kind of restore or are there other ways to initiate System Restore that I'm not aware of?

    Regards,

    Pieter
     
  6. Ghost

    Ghost Guest

  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Ahaaa, I see.

    Primrose found a link about disabling System Restore for XP with naked pictures and all (j/k about the naked part)
    http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

    Regards,

    Pieter
     
  8. T Boy

    T Boy Registered Member

    Joined:
    Nov 5, 2002
    Posts:
    3
    Location:
    Vancouver BC
    Norton 2002 on xp but it dose not want to fix or Quarintine it.
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    T Boy,

    Can you look at the Symantec link I posted above and see if you have any of the files noted there? Also, can you check to see if the file that NAV identified is running on your system (look in the process list of the Task Manager by doing a Ctrl - Alt - Del and look for the named file).

    If that file is running, NAV might not be able to delete it. You can do an End Process on it from the Task Manager and then run a full scan as noted in the Symantec link.

    As for System Restore, a safe way to clean that would be to disable it, reboot, re-enable System Restore and reboot. This should wipe all contents of the System Restore folders.

    Are you comfortable using Regedit to scan for any Run or RunServices keys related to this trojan?
     
  10. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    what a great system restore tip, i never knew about that!!
     
  11. T Boy

    T Boy Registered Member

    Joined:
    Nov 5, 2002
    Posts:
    3
    Location:
    Vancouver BC
    Yep, ............... I don't mind being in the registry
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Well then, at the very least, go into the registry and find out if any auto startup keys were set in the various Run keys and remove them, that's a big step forward in killing off the malware. Reboot and recheck for the keys (see if they came back). If not, make sure NAV defs are up to date and run a FULL scan again and see what it does.
     
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    It ought to start up from the HKLM run key, and it can usually just be unchecked on Msconfig's Startup tab.

    But do this, and we'll have a look:

    Go to http://www.spywareinfoforum.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and please post the contents here.
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Take a look in the folder where this trojan file was found - there should be a bunch of other files related to it.. there should be lots of INI and TXT files, and at least 2 or 3 EXE files. Common names for these files are

    mirc.ini
    mirc2.ini
    mirc3.ini
    mirc4.ini
    remote.ini
    gates.txt
    27374.txt
    temp.exe (with the mIRC icon)
    temp2.exe
    temp.scr
    temp2.scr

    Usually the whole folder is created with the files in it, if the files are installed somewhere like the Windows folder or you are unsure about the contents of files you can email me, gavin@diamondcs.com.au and I will let you know what is safe to delete.
     
  15. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    You might want to take a look at these threads for your situation.


    irc.trojan virus found!!!

    IRC Flood>>>>
    http://www.dslreports.com/forum/remark,4893805~root=security,1~mode=flat


    IRC virus, how to find the registry keys
    http://www.dslreports.com/forum/remark,4920694~root=security,1~mode=flat


    Why Norton AntiVirus cannot repair files that are infected by a Trojan or a worm
    http://www.dslreports.com/forum/remark,4944303~root=security,1~mode=flat


    For it seems like you have the same or similar exploit. :(
     
Loading...
Thread Status:
Not open for further replies.