Re: Undetectable backdoor / Thread 2

The Repair option will not save you if you're already infected. It doesn't
replace files, though it checks for errors (not their integrity) and then
it replaces the non-working ones. You can manually get rid of the virus by
knowing first of all what type it is and how it behaves. For sure you'll
have to deep search in your Registry as this is best virus' friend!! Not to
mentioned the System dir of Windows and other hidden folders.

If an AV didnt find the backdoor, I'm quite sure any other Rootkit hunter
wont either.

Why don't you find the original .exe and then do some reverse engeneering
on it?! This will definitively gives you an idea of how the virus behaves.

Cheers
Marco





                                                                           
             "Costin Manda"                                                
             <manda@ecrmeurope                                             
             .com>                                                      To 
                                       <forensics@securityfocus.com>       
             06/12/2005 09.32                                           cc 
                                                                           
                                                                   Subject 
                                       Undetectable backdoor / Thread 2    
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Thanks to all for your replies. I will try as soon as possible the rootkit
detection (as soon as I find out what it is :) ) I got a lot of good links
and I will try them when I get home.

I will clarify some things because I got a lot of emails asking me the same

things.
1. Yes, I did try a firewall to patch the problem. Now ZoneAlarm is
prohibiting winlogon.exe from communicating on the internet and it works.
However, it still tries to connect periodically to https.manwithnoname.biz
2. No, this is not Mitgl.DQ.1 trojan, but it does seems to be from the same

author.
3. No, I didn't do a clean Windows install after reformat. I did a Repair.
I
don't have the time to reinstall Windows. My system is actually a Windows
98
system that worked fine for about 5 or 6 years then I've upgraded to
Windows
XP two years ago. I will NOT do a clean Windows install, nor will I forget
about Windows or Internet Explorer. If the Repair option doesn't replace
all
the Windows files, though, you might be on to something. Is that so?
4. RootKit. I will investigate this avenue. I haven't before, though, so
thanks for giving me this direction for research. Why aren't the anti-virus

and anti-spyware programs that I've tried doing this, though?
5. Winlogon.exe is NOT modified.
6. I've cleaned SpySheriff already. This is not SpySheriff, but it came in
the same bundle. Must be a new spyware marketing strategy :)

Thanks again for all the replies, I will respond to each of the sample and
registry and log requests as soon as I get home.

____________
Costin Manda
ECRM Europe