New backdoor??

Greetings all. I have noticed several of my machines have become infected with something that Symatec AV says is backdoor.femo. The problem is that this backdoor is app. 3 years old. Our environment is as such:

1. all people run as Users
2. all machines have latest virus defs

The backdoor puts itself in the system32 folder.

I have infected my computer to gain some insight. Here are the regmon and filemon outputs.

A google of the rdsessmgr64 files shows zero hits.

Any help would be greatly appreciated as I am completely stumped.

The file uploaded is a zip file renamed to logs.log (rename to logs.zip)

Regards,

Gary

 

could be a false positive scan the file with the online jotti file scanner

 

Hello

I tried a google without the 64 on the end. Maybe you are using Windows 64 bit version?

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.dagonit.html

 

If you are running Windows 64 bit version, then maybe the files listed on Symantec link I posted will be differnt names for the 64 bit version.
I am sure you are running a 64 bit version of Norton also?

controler

 

Is there somwhere you could upload the
C:\Documents and Settings\Gary\Desktop\femo\RDSessMgr64.exe file
(and optionally the C:\windows\system32\RDSessMgr64.dll file which it spawns)?

Perhaps the uploads section of http://www.thespykiller.co.uk/forum/index.php?action=forum ?