RA Backddor

Kind of new here and was hoping someone could help.
I have a question about the good ol' RA Backdoor trojan. I have a few drives in a removable bay and I noticed on one of them an entry in pc-cillin 2003s firewall log a few attempts by this trojan to sneak out via port 4000. Ran a virus scan. Nothing. Ran a couple of trojan scans (anti-trojan, tauscan). Nothing. Found some info stating the trojan was twd industries 'remote anything' slave.exe. Checked the registry for strange settings such as slave.exe or twd as per the removal instructions. No entries found. So I don't know if I have it or not. The only other thing I could think of was maybe one of many self scan sites i've visited. Would this cause the firewall entry in pc-cillin. I'm also using kerio 3 beta 5 firewall and I visited those self scan sites while setting up my rules. Haven't had anything strange happen other than a few crashes, but that could be because I install/uninstall stuff to try out. This has me stumped. Any ideas would be great.

 

Hi,

Perhaps a real application tried to use that port..

Check if it is open with Port Explorer, it would be red whether it has a tray icon or not (could be hidden)

TDS detects many versions of Remote Anywhere, as it can be used as a trojan against unsuspecting users. So download, install and update the database then run a scan

http://tds.diamondcs.com.au/html/download.htm

 

Thanks for the reply Gavin. I have tried the evaluation version of Port Explorer and sure enough, it indicated an entry in red. This turned out to be pc-cillin's own pop3 trap exe. It seemed a bit odd though that it would log one of it's own processes. Stranger still that it would log it as RA Backdoor. I think i'll have to buy Port Explorer. it seems to be a pretty good app. I'm going to try and find which of the self scan sites I used offered the trojan scan option, run it and see if the entry appears in pc-cillin again. I couldn't, however, reconcile the ip address in the log with the other addresses for the port scan option. Again, thanks for the info.

 

Hi again,

See the help file for info on red sockets, anything that is not visible will be shown in red which is why the socket was red. There's everything you need to know about Port Explorer in the help file, you should find it good reading

We can't determine which programs own tray icons at this time, or else it wouldnt show up, but if you are unsure about tray icons just watch Port Explorer while you right click a tray icon (which reveals a menu)..

As for whether or not you are infected, was the pop3trap.exe listening on port 4000 ? Not a problem if that is all it was, but you really should try a Full System Scan with TDS, of course after updating the databases

 

I think what you saw is normal but be aware of...


Vulnerability Note VU#157961
PC-cillin "pop3trap.exe" vulnerable to buffer overflow via long string of characters


http://www.kb.cert.org/vuls/id/157961

also


http://www.google.com/search?client=googlet&q=pop3trap.exe%20

 

Thanks again to both of you for the info. I'll be performing those actions in the not-too-distant future as you advised Gavin; and the links Primrose supplied were quite interesting.
Hmmm...whoever said computers would make life easier? You gotta love the education though