New Virus?

Discussion in 'NOD32 version 2 Forum' started by Nirvy, Sep 4, 2004.

Thread Status:
Not open for further replies.
  1. Nirvy

    Nirvy Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    25
    Location:
    Leeds, England
    Well it happened, today as i powered on i got my first ever virus in 15 years of owning PC's :(

    I logged on and NOD immediately detected it, sait it couldnt clean it so i deleteted it. I performed a scan after and it came up as showing two other files infected! Now i was very interested as to who i got this Trojan, as im very security concious and pretty savvy about it.

    A search on goole brough ZERO matches. Can anyone advise? Here is the log from nod32.

    C:\WINDOWS\system32\Lhefig32.dll - Win32/Padodor.V trojan
    C:\WINDOWS\system32\Clkhec32.dll - Win32/Padodor.V trojan
    C:\WINDOWS\System32\Jjeieege.dll - Win32/Padodor.V trojan
     
  2. Nirvy

    Nirvy Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    25
    Location:
    Leeds, England
    PLease note in each case i had to delete and also Quarantined the virus as NOD32 could not clean it.

    I have NOD totally up to date, i run Sygate Personal Pro Firewall which i upgraded to the new build yesterday, i have not downloaded anything which may have contained this virus, im VERY careful over what i do online.

    The fact i cant find any info on it makes me wonder if i deleted legitimate windows files in a false alarm, hence me quarentineing them.

    Sygate shows no logs of being attacked, and no apps but a dozen i use regulary have inbound or outbound access.

    Finally my tast manager has no suspicious processes, and i even checked before i deletedthe files.

    *baffled*
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If NOD32 says that a particular infected file cannot be cleaned, it means that it most probably consists only of a virus itself and therefore should be deleted. This is the case of trojans and most worms propagating via email. If you are not sure whether it is safe to delete an infected file, you can always quarantine it (tick the Quarantine check-box and select Delete)
     
  4. Nirvy

    Nirvy Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    25
    Location:
    Leeds, England
    Thanks, got rid of the 3 i found, and after a few reboots i show as clean. Just wondered if anyone knew about this one, im pretty safe about emails. Unless my Fiance did something whilst i was at work.

    Oh well, files deleted anyways, ill just keep an eye out for a bit.
     
  5. msanto

    msanto Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    214
    If you go to Virus Bulletin, you can enter that name (Padodor.V) into Vgrep and it will tell you what other antivirus companies call that virus ... since they don't all use the same name.

    http://www.virusbtn.com/resources/vgrep/index.xml

    I tried that though, and despite the fact it found it, I couldn't get info by clicking through other vendor's links for that virus. Oh well.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I can't see how this Trojan comes in specifically, however, I would change your passwords, especially if you use Internet Banking and store the password with Internet Explorer, see the following :

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_BERBEW.F

    Aliases: BackDoor-AXJ, BackDoor-AXJ.dll, Backdoor.Padodor.gen
    Pattern file needed: 1.944.28
    Scan engine needed: 6.810

    Overall risk rating: Very Low

    Description:

    This backdoor is capable of stealing cached passwords in Internet Explorer, and posts the gathered data onto a list of Web sites. Also, it stays memory-resident and opens a random port where it listens for commands from malicious users, leaving the system compromised.

    This backdoor drops several files, including a .DLL component (detected by Trend Micro as BKDR_BERBEWDLL.F) that is injected into EXPLORER.EXE to prevent users from viewing the running backdoor process in Task Manager.

    It modifies the Windows registry so that its dropped files are loaded whenever Windows starts up.

    Hope this helps…

    Cheers :D
     
  7. Nirvy

    Nirvy Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    25
    Location:
    Leeds, England
    Weird, i dont use internet explorer at all. I open it maybe once a month to check windows updates.

    I use Opera for my internet banking, but then again i work in the IT dept of the Halifax bank here in the UK, so i can just ask one of the cute girls on the phones to check my accounts :)

    Oh well it seems to be clean now anyways. Thanks
     
  8. Big D1

    Big D1 Registered Member

    Joined:
    Aug 20, 2004
    Posts:
    68
    Just to add some more information.

    Whatever server you or somebody visited was infected with Download.Ject.

    The infected server downloads a trojan to your system. This Trojan horse is named Backdoor:W32/Berbew, also known as Backdoor-AXJ, Webber, or Padodor.


    Read this Microsoft security update here. http://www.microsoft.com/security/incident/download_ject.mspx
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for the info Big D1

    Cheers :D
     
  10. Nirvy

    Nirvy Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    25
    Location:
    Leeds, England
    It cant be, i havent Opened IE up in nearly a month since i installed SP2. And then the single site i went to was Windows update.

    Opera is not vulnerable to Download.ject

    All i can think is i can across a file that included it.
     
Thread Status:
Not open for further replies.