Backdoor.IzRam.1.7

Discussion in 'malware problems & news' started by Firefighter, Jan 30, 2005.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Anyone know about that Backdoor.IzRam.1.7 named by BitDefender? I've got that despite of McAfee VSE 8.0i, BOClean 4.12.002 and Ewido 3.0 in real time protection and M$ Anti-Spyware Beta and SpyBot 1.4 Beta 2 too in real time scanning.

    The infected file is IFinst25.exe in C:\WINDOWS folder.

    What does that backdoor do?

    Only RAV online scan and BitDefender 7.2 Free were able to detect that, so I think that it's this.

    Best regards,
    Firefighter!
     

    Attached Files:

  2. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi,

    Backdoor.IzRam.1.7 is a R.A.T (remote access trojan)

    Kill these running processes config.exe, izram.exe

    Remove these files client.001, config.exe, izram.exe and readme.htm

    That should clear the system, scan with Av again after removal 2 be sure.

    As for the infection method, i believe Email is the most common or sharing a connection/network with another PC.
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Thanks for the info but I just couldn't find any of these files you just mentioned above. Propably, this has something to do with "Ragnarok" or something like that, a game which my kid has downloaded some months ago.

    Best regards,
    Firefighter!
     
  4. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hopefully its gone then.

    To the best of my knowledge Backdoor.IzRam.1.7 is only a brand new threat (Jan 05) this might explain why your security apps missed it
     
  5. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Looks like a false positive to me.
     
  6. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus

    For info look HERE , HERE and HERE

    Real threat just not that common
     
  7. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I've submitted that Zipped "IFinst25.exe" to Ewido yesterday, but no response and no detection yet.

    Best regards,
    Firefighter!
     
  8. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Is this really a false positive. Just now even AntiVir is flagging my sample as infected, as BitDefender and RAV made it before, but not AntiVir then.

    Best regards,
    Firefighter!
     

    Attached Files:

  9. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    can you send that zip to me too, you know the addy..
     
  10. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Does that IFinst25.exe have something to do with M$ AntiSpyware Beta?

    McAfee VSE 8.0i with Anti-Spyware module Beta On-Acces scanlog:

    25.2.2005 10:35:32 No Action Taken GIANTAntiSpywar C:\WINDOWS\IFinst25.exe BackDoor-COE (Trojan)

    Also Sybari in VirusTotal online scan detects it as "BackDoor-COE". (McAfee Engine within?)

    And On-Demand scan result:

    Best regards,
    Firefighter!
     

    Attached Files:

    Last edited: Feb 25, 2005
  11. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Now I got it. It's a web game played by my son, Ragnarok Online. More infected files by VSE 8.0i.

    26.2.2005 10:31:25 No Action Taken e:\Downloads\RAG_SETUP1207.exe BackDoor-COE(Trojan)
    26.2.2005 10:31:27 No Action Taken e:\Games\RAG_SETUP1117.exe BackDoor-COE(Trojan)
    26.2.2005 10:31:28 No Action Taken e:\Games\SAK_SETUP1117.exe BackDoor-COE(Trojan)

    Added to VSE 8.0i signatures three days ago, 23.2.2005.

    Best regards,
    Firefighter!
     
  12. boredpoo

    boredpoo Guest

    I second this. Ragnarok is the only non-work-related item on my computer (not because my son plays it, because I play it). Those files are the Korean version of the game, not downloadable in the USA unless you change some explorer settings. This could be the game maker's way of fighting back against people downloading their game outside of Korea, but I'm not certain.
     
  13. senshi

    senshi Guest

    I just had symantec av detect these files for the first time yesterday as well. I'm wondering if it's a false positive. Symantec detected them as having pwsteal.trojan.
     
  14. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    So, after all this, BitDefender, RAV, AntiVir, McAfee VSE 8.0i and Symantec are all having a False Positive in here.

    For some strange reason, I just can't believe that FP now especially because of VSE 8.0i and Symantec have detected that file as "infected", they have very low FP rates, among the lowest.

    Best regards,
    Firefighter!
     
  15. umbrasol

    umbrasol Registered Member

    Joined:
    Mar 9, 2005
    Posts:
    1
    Hi!

    Firefighter, in my search for this exactly same problem i have, i have lastly found the answer.

    Im a player of that game, Ragnarok Online, all occidental players found the same problem recently, so an research was made to find out why the official site of the game is releasing infected files.

    They files aren't infected with a virus, but Antivirus technologies detects it as it would be, the instalation files contents a little program to prevent hacking from the players and use similar methods of "backdoor" trojans to do that, so the antivirus detects the files rag_setup1228.exe and sak_setup1228.exe with a trojan, but it's not.Y

    ou could install the game for your son disabling the antivirus, or from a cd, then be sure you dont have this file "C:\WINDOWS\IFinst25.exe" in your system or in the path you have your windows directories, if you do, remove it and that's it.

    I just wanted to came back here and say it, cause i found this page in my research for an answer.
     
  16. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Thanks. Still one stupid question. If that "IFinst25.exe" is really clean, why those positive detections after so many weeks it was first detected? Even today with so many scanners a FP?

    RAV AntiVirus command line for Linux i386.
    Version: 8.4.3.
    Copyright (c) since 1995 GeCAD The Software Company. All rights reserved.

    Scan engine 8.11 for i386.
    Last update: Mon, 07 Mar 2005 21:45:20 +0200
    Scanning for 114665 malwares (viruses, trojans and worms).

    Scan started on Wed Mar 9 23:20:37 2005

    IFinst25.exe is infected with Backdoor:Win32/IzRam.1_7

    Scan ended on Wed Mar 9 23:20:37 2005

    Scan results:
    Time: 0 second(s).
    Objects scanned: 1. New objects: 1
    Infected: 1. Different virus bodies: 1.

    I thought that this kind of FP is very easy to fix with av-vendors like those other things that I have seen.

    Secondly, if that "IFins25.exe" is useless, why that will be even there in legitimate purpose after all?

    Best regards,
    Firefighter!
     

    Attached Files:

    Last edited: Mar 9, 2005
  17. S. Ayashi

    S. Ayashi Registered Member

    Joined:
    Mar 11, 2005
    Posts:
    2
    Hi,

    I've had the same problem with the kRO Ragnarok Online Clients. However, not only have I had all the named above, I also constantly get pickups of PWSteal.Trojan from Norton from large temporary files. My computer slows down as well while this happens. Any idea on how to remove that?

    Thanks,

    --sAya
     
  18. Ragnarok

    Ragnarok Guest

    The file is packed with UPX, if you unpack it using UPX and load it into a hex editor it turns out to be a stub uninstaller for InstallFactory (www.installfactory.com), which Gravity (the makers of Ragnarok) use for client packaging. It seems that Norton, McAfee, Panda Titanium and a few other AV softs are seeing it as a trojan.

    The trojans detected are all infectors, which means that if it was a trojan you'd find it infecting other files too.
     
  19. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    As I told ya, a false positive ;)

    However, I'm really disappointed that the big boys have such a bad quality control and even add an installer to their database... :rolleyes:

    Btw. seems like most of them fixed it by now:

     
  20. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    If only the biggest players were within, but they aren't!

    How they can even get that VB 100% Award, when they have results like this. OK, it's only because there is totally useless clean file test in VirusBulletin. Do they have even some Panda files in that clean collection or other things like that?

    Best regards,
    Firefighter!
     

    Attached Files:

  21. Fate

    Fate Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    4
    HI ^^ I'm new here.. umm so you know the ragnarok trojan? Is it harmful? and how do I delete it? thank you ^^
     
  22. borgx

    borgx Guest

    Fate, RO doesnt have a trojan in it, its just a false positive.
    You can remove the file "IFinst25.exe" (C:\WINDOWS\IFinst25.exe) if you like, but its just an install/uninstall program. The Gravity Installer is clean.
     
  23. Fate

    Fate Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    4
    Thank you very much ^^ borgx ^^ i just really needed to confirm it.. cuz my virus detector detected it.. but couldn't clean it.. so i was like really sad >.< cuz i got this other virus and had to wipe my whole computer.. an evil process lol ^^ just trying to be careful ^^ cuz.. my experiences with viruses are sooo bad lol ><
     
  24. Fate

    Fate Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    4
    umm what if i searched for C:\WINDOWS\IFinst25.exe and it doesn't find any of those files? but i still have the trojan? is it stilll a false trojan?
     
  25. Fate

    Fate Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    4
    lol sorry for posting soo many posts.. i dunno what this would imply lol? when my virus detector, i use McAffee detects the trojan virus.. after i download ragnarok ^^, and i remove the message... but it doesn't get cleaned cuz it just won't clean it.. but then i click on the rag set up directly,,, scan it and it doesn't show any traces of viruses. is this a good thing?
     
Thread Status:
Not open for further replies.