Backdoor.IzRam.1.7

Anyone know about that Backdoor.IzRam.1.7 named by BitDefender? I've got that despite of McAfee VSE 8.0i, BOClean 4.12.002 and Ewido 3.0 in real time protection and M$ Anti-Spyware Beta and SpyBot 1.4 Beta 2 too in real time scanning.

The infected file is IFinst25.exe in C:\WINDOWS folder.

What does that backdoor do?

Only RAV online scan and BitDefender 7.2 Free were able to detect that, so I think that it's this.

Best regards,
Firefighter!

 

Hi,

Backdoor.IzRam.1.7 is a R.A.T (remote access trojan)

Kill these running processes config.exe, izram.exe

Remove these files client.001, config.exe, izram.exe and readme.htm

That should clear the system, scan with Av again after removal 2 be sure.

As for the infection method, i believe Email is the most common or sharing a connection/network with another PC.

 

Thanks for the info but I just couldn't find any of these files you just mentioned above. Propably, this has something to do with "Ragnarok" or something like that, a game which my kid has downloaded some months ago.

Best regards,
Firefighter!

 

Hopefully its gone then.

To the best of my knowledge Backdoor.IzRam.1.7 is only a brand new threat (Jan 05) this might explain why your security apps missed it

 

Looks like a false positive to me.

 

For info look HERE , HERE and HERE

Real threat just not that common

 

I've submitted that Zipped "IFinst25.exe" to Ewido yesterday, but no response and no detection yet.

Best regards,
Firefighter!

 

Is this really a false positive. Just now even AntiVir is flagging my sample as infected, as BitDefender and RAV made it before, but not AntiVir then.

Best regards,
Firefighter!

 

can you send that zip to me too, you know the addy..

 

Does that IFinst25.exe have something to do with M$ AntiSpyware Beta?

McAfee VSE 8.0i with Anti-Spyware module Beta On-Acces scanlog:

25.2.2005 10:35:32 No Action Taken GIANTAntiSpywar C:\WINDOWS\IFinst25.exe BackDoor-COE (Trojan)

Also Sybari in VirusTotal online scan detects it as "BackDoor-COE". (McAfee Engine within?)

And On-Demand scan result:

Best regards,
Firefighter!

 

Now I got it. It's a web game played by my son, Ragnarok Online. More infected files by VSE 8.0i.

26.2.2005 10:31:25 No Action Taken e:\Downloads\RAG_SETUP1207.exe BackDoor-COE(Trojan)
26.2.2005 10:31:27 No Action Taken e:\Games\RAG_SETUP1117.exe BackDoor-COE(Trojan)
26.2.2005 10:31:28 No Action Taken e:\Games\SAK_SETUP1117.exe BackDoor-COE(Trojan)

Added to VSE 8.0i signatures three days ago, 23.2.2005.

Best regards,
Firefighter!

 

I second this. Ragnarok is the only non-work-related item on my computer (not because my son plays it, because I play it). Those files are the Korean version of the game, not downloadable in the USA unless you change some explorer settings. This could be the game maker's way of fighting back against people downloading their game outside of Korea, but I'm not certain.

 

I just had symantec av detect these files for the first time yesterday as well. I'm wondering if it's a false positive. Symantec detected them as having pwsteal.trojan.

 

So, after all this, BitDefender, RAV, AntiVir, McAfee VSE 8.0i and Symantec are all having a False Positive in here.

For some strange reason, I just can't believe that FP now especially because of VSE 8.0i and Symantec have detected that file as "infected", they have very low FP rates, among the lowest.

Best regards,
Firefighter!

 

Hi!

Firefighter, in my search for this exactly same problem i have, i have lastly found the answer.

Im a player of that game, Ragnarok Online, all occidental players found the same problem recently, so an research was made to find out why the official site of the game is releasing infected files.

They files aren't infected with a virus, but Antivirus technologies detects it as it would be, the instalation files contents a little program to prevent hacking from the players and use similar methods of "backdoor" trojans to do that, so the antivirus detects the files rag_setup1228.exe and sak_setup1228.exe with a trojan, but it's not.Y

ou could install the game for your son disabling the antivirus, or from a cd, then be sure you dont have this file "C:\WINDOWS\IFinst25.exe" in your system or in the path you have your windows directories, if you do, remove it and that's it.

I just wanted to came back here and say it, cause i found this page in my research for an answer.

 

Thanks. Still one stupid question. If that "IFinst25.exe" is really clean, why those positive detections after so many weeks it was first detected? Even today with so many scanners a FP?

RAV AntiVirus command line for Linux i386.
Version: 8.4.3.
Copyright (c) since 1995 GeCAD The Software Company. All rights reserved.

Scan engine 8.11 for i386.
Last update: Mon, 07 Mar 2005 21:45:20 +0200
Scanning for 114665 malwares (viruses, trojans and worms).

Scan started on Wed Mar 9 23:20:37 2005

IFinst25.exe is infected with Backdoor:Win32/IzRam.1_7

Scan ended on Wed Mar 9 23:20:37 2005

Scan results:
Time: 0 second(s).
Objects scanned: 1. New objects: 1
Infected: 1. Different virus bodies: 1.

I thought that this kind of FP is very easy to fix with av-vendors like those other things that I have seen.

Secondly, if that "IFins25.exe" is useless, why that will be even there in legitimate purpose after all?

Best regards,
Firefighter!

 

Hi,

I've had the same problem with the kRO Ragnarok Online Clients. However, not only have I had all the named above, I also constantly get pickups of PWSteal.Trojan from Norton from large temporary files. My computer slows down as well while this happens. Any idea on how to remove that?

Thanks,

--sAya

 

The file is packed with UPX, if you unpack it using UPX and load it into a hex editor it turns out to be a stub uninstaller for InstallFactory (www.installfactory.com), which Gravity (the makers of Ragnarok) use for client packaging. It seems that Norton, McAfee, Panda Titanium and a few other AV softs are seeing it as a trojan.

The trojans detected are all infectors, which means that if it was a trojan you'd find it infecting other files too.

 

As I told ya, a false positive

However, I'm really disappointed that the big boys have such a bad quality control and even add an installer to their database...

Btw. seems like most of them fixed it by now:

 

If only the biggest players were within, but they aren't!

How they can even get that VB 100% Award, when they have results like this. OK, it's only because there is totally useless clean file test in VirusBulletin. Do they have even some Panda files in that clean collection or other things like that?

Best regards,
Firefighter!

 

HI ^^ I'm new here.. umm so you know the ragnarok trojan? Is it harmful? and how do I delete it? thank you ^^

 

Fate, RO doesnt have a trojan in it, its just a false positive.
You can remove the file "IFinst25.exe" (C:\WINDOWS\IFinst25.exe) if you like, but its just an install/uninstall program. The Gravity Installer is clean.

 

Thank you very much ^^ borgx ^^ i just really needed to confirm it.. cuz my virus detector detected it.. but couldn't clean it.. so i was like really sad >.< cuz i got this other virus and had to wipe my whole computer.. an evil process lol ^^ just trying to be careful ^^ cuz.. my experiences with viruses are sooo bad lol ><

 

umm what if i searched for C:\WINDOWS\IFinst25.exe and it doesn't find any of those files? but i still have the trojan? is it stilll a false trojan?

 

lol sorry for posting soo many posts.. i dunno what this would imply lol? when my virus detector, i use McAffee detects the trojan virus.. after i download ragnarok ^^, and i remove the message... but it doesn't get cleaned cuz it just won't clean it.. but then i click on the rag set up directly,,, scan it and it doesn't show any traces of viruses. is this a good thing?