IRC Trojan Please help me get rid!!

Discussion in 'malware problems & news' started by Brody, May 25, 2004.

Thread Status:
Not open for further replies.
  1. Brody

    Brody Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    Hi there everyone, i appear to have an Irc Trojan on my pc, Norton picked it up, however i have followed the directions on the symantec website to remove it and have had no luck, i cannot seem to find the files i need to delete.

    The exact messege that Norton is coming up with is:

    c:\windows\system32\f0r0r\redroses

    I am very concerned as i belive this can gain access to your personal information, this is really bugging me and i would be extremely grateful if someone could give me some info on how to remove it.

    Regards
    Brody o_O

    ps i have also run spybot search and destroy
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Brody !

    Welcome to Wilders ! :)

    Your machine is infected with a very nasty bugger. :mad: At this momment, it's nearly impossible to remove. Lots n lots of helping soul around the world working on the same issue day n night. To our knowledge no antivirus or antispyware product delete this parasite.

    Now, in order to accurately ascess your problem, you need to install the Hijackthis from here

    Go there and download the zip file to it own permanent folder (i.e. C:\HijackThis\hjt.zip). Please do not download the same either at desktop or in temp folder. This will allow it to make back-ups of any changes you make. This is important in the event you need to restore items you chose to fix with HijackThis.

    Now Unzip the file and double click on the HijackThis.exe icon. When finished loading click on the Scan button. Next click on the Save Log button.

    Now, copy the contents and paste them here in a new thread to be checked.

    Please do not fix anything yet as most of what it shows is either necessary or harmless.

    Someone there on the board will check it for you...

    With Thanks !
    Newkid !
     
  3. Brody

    Brody Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    Hi there new kid thanks for your help, unfortunately the first link does not work (the one for hijack this) so i am unable to do what you advised, dohh!!
    If you could give me the link again and i well have a go.
    Cheers Buddy

    Brody :doubt:
     
  4. matt1330

    matt1330 Registered Member

    Joined:
    Apr 20, 2004
    Posts:
    4
    Location:
    Texas, USA
  5. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
  6. DDG

    DDG Guest

    Hello,

    My name is DDG and I'm an expert on www.spywareinfoforum.com forums. My main hobby there is to provide people with solutions to such complex situations. I have long analyzed this worm and I can fully explain how it works and how it hides itself in such fashion.

    The real thing which is going on here is a combination of two viruses; W32.Aladinz.Gen (also known as Randon) and W32.HackDefender, which is responsible for it's stealth behavior. HackDefender installs a driver, in this case dordo.sys, which is responsible for hooking Windows API in order to gain control of some OS functions. It is capable therefore of hiding specific processes, files and possibly registry keys.

    Some of the API's which HackDefender hooks are the following:

    Kernel32.ReadFile, Ntdll.NtQuerySystemInformation (class 5 a 16), Ntdll.NtQueryDirectoryFile, Ntdll.NtVdmControl, Ntdll.NtResumeThread, Ntdll.NtEnumerateKey, Ntdll.NtEnumerateValueKey, Ntdll.NtReadVirtualMemory, Ntdll.NtQueryVolumeInformationFile,
    Ntdll.NtDeviceIoControlFile,Ntdll.NtLdrLoadDll,
    Ntdll.NtOpenProcess, Ntdll.NtCreateFile, Ntdll.NtLdrInitializeThunk,
    WS2_32.recv, WS2_32.WSARecv, Advapi32.EnumServiceGroupW, Advapi32.EnumServicesStatusExW,Advapi32.EnumServicesStatusExA,
    Advapi32.EnumServicesStatusA, and others.

    HackDefender first allocates a memory pool inside a host process, and injects it's handler functions into this pool. Then, the trojan will collect a list of API functions, and put a jump instruction in the beginning of each API function, in order to hook it. The role of this jump instruction is to hand over the control over the hooked function to the root kit (that's how such things are called, e.g. HackDefender). When the API hands back the handler function, the root kit executes its filtering routine in order to conceal specific files, processes, etc.

    This is why you can't locate the f0r0r folder by regular means. A person on another forum claimed that he could access this directory using the windows command prompt with the CD (change directory) command. This is correct, and can be explained by the fact that the CD command doesn't use any hooked API in order to change the directory position.

    An interesting thing is that if you will attempt to create a folder named f0r0r at any place on your hard disk, it will go stealth too. This is because the driver is set to hide directories possessing this name.

    In order to get rid of this infection, you can attempt a few things. One will surely work for you.

    In order to detect whether you are infected by HackDefender, please download this utility: http://bagpuss.swan.ac.uk/comms/RKD...0%5B1%5D.62.zip

    If you are infected you can try the following: If your system drive (mostly C is formatted with the FAT32 file system, simply create a bootable floppy, boot from it, and delete the directory from the command prompt. If your system drive is formatted with the NTFS file system, download bart's PE builder from http://www.nu2.nu/pebuilder/ in order to create a preinstalled environment cd image. Burn that image and boot using the CD, use then the utilities inside the PE in order to delete this folder.

    You can read more on HackDefender here: http://bagpuss.swan.ac.uk/comms/hxdef.htm

    Another solution is evaluated by me right now, and once I can confirm that it's safe to use, I'll post it. If you are infected and you are willing to help me in testing this solution, please let me know.

    Hope I helped.
     
  7. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Thanks DDG, for sharing womderful thoughts and your experience with us.

    Here, we are also looking the malware very deeply and sooner we'll come out with a permanent solutions. The nasty bugger is really very nasty.. :oops:

    Indeed, you are on right track about this worm.

    With Thanks !
    Newkid !
     
  8. DDG

    DDG Guest

    Hello,

    It seems that I have located a vulnerability in this worm's code which would allow quick and easy removal, as it's not 100% right now, I will not discuss it in public - please visit spywareinfo's chat room in order to talk about it.

    Thanks
     
  9. DDG

    DDG Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    1
Loading...
Thread Status:
Not open for further replies.