RA Backddor

Discussion in 'malware problems & news' started by 0tbyn8r, Feb 12, 2003.

Thread Status:
Not open for further replies.
  1. 0tbyn8r

    0tbyn8r Registered Member

    Joined:
    Feb 12, 2003
    Posts:
    3
    Kind of new here and was hoping someone could help.
    I have a question about the good ol' RA Backdoor trojan. I have a few drives in a removable bay and I noticed on one of them an entry in pc-cillin 2003s firewall log a few attempts by this trojan to sneak out via port 4000. Ran a virus scan. Nothing. Ran a couple of trojan scans (anti-trojan, tauscan). Nothing. Found some info stating the trojan was twd industries 'remote anything' slave.exe. Checked the registry for strange settings such as slave.exe or twd as per the removal instructions. No entries found. So I don't know if I have it or not. The only other thing I could think of was maybe one of many self scan sites i've visited. Would this cause the firewall entry in pc-cillin. I'm also using kerio 3 beta 5 firewall and I visited those self scan sites while setting up my rules. Haven't had anything strange happen other than a few crashes, but that could be because I install/uninstall stuff to try out. This has me stumped. Any ideas would be great. o_O
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Perhaps a real application tried to use that port..

    Check if it is open with Port Explorer, it would be red whether it has a tray icon or not (could be hidden)

    TDS detects many versions of Remote Anywhere, as it can be used as a trojan against unsuspecting users. So download, install and update the database then run a scan

    http://tds.diamondcs.com.au/html/download.htm
     
  3. 0tbyn8r

    0tbyn8r Registered Member

    Joined:
    Feb 12, 2003
    Posts:
    3
    Thanks for the reply Gavin. I have tried the evaluation version of Port Explorer and sure enough, it indicated an entry in red. This turned out to be pc-cillin's own pop3 trap exe. It seemed a bit odd though that it would log one of it's own processes. Stranger still that it would log it as RA Backdoor. I think i'll have to buy Port Explorer. it seems to be a pretty good app. I'm going to try and find which of the self scan sites I used offered the trojan scan option, run it and see if the entry appears in pc-cillin again. I couldn't, however, reconcile the ip address in the log with the other addresses for the port scan option. Again, thanks for the info. :)
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi again,

    See the help file for info on red sockets, anything that is not visible will be shown in red which is why the socket was red. There's everything you need to know about Port Explorer in the help file, you should find it good reading :)

    We can't determine which programs own tray icons at this time, or else it wouldnt show up, but if you are unsure about tray icons just watch Port Explorer while you right click a tray icon (which reveals a menu)..

    As for whether or not you are infected, was the pop3trap.exe listening on port 4000 ? Not a problem if that is all it was, but you really should try a Full System Scan with TDS, of course after updating the databases :)
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  6. 0tbyn8r

    0tbyn8r Registered Member

    Joined:
    Feb 12, 2003
    Posts:
    3
    Thanks again to both of you for the info. I'll be performing those actions in the not-too-distant future as you advised Gavin; and the links Primrose supplied were quite interesting.
    Hmmm...whoever said computers would make life easier? You gotta love the education though :)
     
Thread Status:
Not open for further replies.