RE: Question for all

[George Peek <GKPeek () AllstateTicketing com>]

Could backdoor trojan be a generic name? Symantec is known to detect trojan
appz, possibly altered or generated by another app. It is quarantined
because it is still active. Best bet is to

1. Boot into safe mode or emergency console (you have to allow group policy
to access other drives/folders other then %SystemRoot% (i.e. Winnt32 or
Windows) -- Delete the file or to trick the virus replace it with another
application (rename it to same name/file extension). Virus most likely is
executed w/in registry. If virus already detects the .exe it will not
attempt to re-create it, and will blindly execute it (99% of the time). Even
if other executables are infected, the virus is most likely only memory
resident in one instance.

2. Locate registry entry of trojan/virus in registry, search for the name,
search for any associated .dlls with the virus. Remove it from registry or
point the path to another app (that will not harm your PC), reboot, the
virus will check to make sure the registry entry is already there (if you
delete it it may re-input it as you are shutting down).. It will execute the
harmless app on reboot, you can clean the virus that way.

3. In emergency console you can replace any files that are not curable (if
any) from a floppy or i386 cache.

Good Luck,
George

-----Original Message-----
From: McCleskey, David [mailto:dmccleskey () polymersealing com]
Sent: Friday, August 01, 2003 10:03 AM
To: 'Flory D Jeffrey Contractor 59MDSS/MSISI'
Cc: Security Basics (E-mail)
Subject: RE: Question for all


Here is a link to trend
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BDFR.SV
R
it lists some information and you can use their online scan.

David



-----Original Message-----
From: Flory D Jeffrey Contractor 59MDSS/MSISI
[mailto:Jeffrey.Flory2 () LACKLAND AF MIL]
Sent: Friday, August 01, 2003 8:23 AM
To: security-basics () securityfocus com; incidents () securityfocus com
Cc: Flory D Jeffrey Contractor 59MDSS/MSISI
Subject: Question for all


A friend of mine recently went from Windows ME to Win2K, but now he has a
trojan on his computer.  He is running Norton Anti-virus, and it will not
clean it off, it will only quarentine it.  The affliction is:
Backdoor.Trojan, and it has placed a hidden folder on his hard drive called:
Payload.Dat.  He cannot get ride of it.  We have tried doing a search on the
internet for some kind of information pertaining to this, but we had no
luck.  We also tried all the antiviral websites but they do not have a tool
for this.  

My question is:  Has anyone ever heard of this, and if so, how do you clean
it off.  

Thanks in advance for any assistance, anyone can provide.

Jeff



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------