Flux Removal Tool from a² (Emsi Software GmbH )

Discussion in 'malware problems & news' started by hayc59, Nov 6, 2004.

Thread Status:
Not open for further replies.
  1. hayc59

    hayc59 Guest


    cause the "Flux problem" becomes more and more public in diffrent boards we decided to create a little thread about that relativly new nastie.

    Flux is a so called reverse backdoor. While normal backdoors would open a port on your computer and a control program would connect to it, Flux won't open a port. The control program opens the port and the backdoor connects to the control program. This makes it fully LAN and router compatible and can circumwent most hardware firewalls.

    Flux uses quite a stealthy technique to run on a victims computer. Instead of creating an own process for himself or injecting a DLL to a third party process Flux uses code injection techniques. That means it injects code (NOT a DLL) to a third party process and runs it within it.

    That makes Flux currently undetectable in memory by most anti malware products cause they only scans the modules of a process (which means the EXE file and all loaded DLLs) and allows Flux to bypass several software firewalls.

    We at Emsi Software GmbH were prepared for the case of the appearance of such a backdoor and already developed an enhanced memory scan to detect such trojans for a² v2. We didn't think such a backdoor would appear that soon so we decided to backport the detection techniques to the current v1 releases. What does that mean?

    Well, a² is currently the only program offering a reliable detection of Flux in memory so a² users are already protected and you don't have to worry about Flux:


    We released a little stand alone scanner that scans for active Flux trojans:


    It works almost automatically. It scans your whole processes and terminates infected processes. Please remember to scan you system with an uptodate anti malware scanner to ensure the loader is removed from the system.

    While detection and deactivation of Flux is quite easy your computer keeps infected as long as you didn't remove the "Flux loader" that did the code injection. So for complete removal of Flux feel free to post a HiJackThis log or to create a support ticket to ensure no loader is left on your computer.

    Wish you all a malware free time :).
Thread Status:
Not open for further replies.