I think my PC has a virus, or my PC is Possessed and creating files?!? HELP.

[mitchelt]

I run Nortons Anti-Virus, and it is set for continous protection, "full protection" from anyting.

OK, I'll be cruising the internet, or just running some programs and the Norton Virus warning comes up, it asks if I want to fix/delete the file. I notice the file is a weird name, just a bunch of letters like: wasxft.exe

I also notice that it come up on the 3 or 4th line of the WIN.INI file.

I tell it to fix the file and it tells me it can't and then it quarantines it.

I have done a FULL scan with Norton and I downloaded a free virus checker from McAfee (something that checks for the latest virus going around).

I think something is going on, but the programs cannot detect it.

I fear the only option I have is to format everything and do a full reload from the original cd's and create a new Ghost image.

Any comment?

Thanks!

Mitch

 

[esit]

My guess it is the Subseven trojan. I would update your virus signatures and try to rescan.

The safest thing to do is to reformat the hard drive and install clean.

 

[mitchelt]

Is it better to Scan in SafeMode? (Win98SE)

 

[Phatty106]

If you have the latest virus signatures, and its Subseven, Norton will find it.

If virus checks turn up nothing, maybe you should download a program like System Safe, to see if and what system files are being edited...

ph

 

[mitchelt]

"If you have the latest virus signatures, and its Subseven, Norton will find it. "

What do you mean by SUBSEVEN?

 

[corkyg]

Update March 12, 2001: (The latestSub7 version)

Sub7 2.2 Beta was published by the Trojan author on March 9, 2001. McAfee AVERT has added detection for this edition of the Trojan in 4128 DAT. This is a trojan which has been consistently updated by the author. With each revision, updates if needed, are added to the DAT files. This trojan is the result of further development of the BackDoor-G trojan (v1.0 - v2.13) and offers the usual access to the users files and data on his system via the Internet.

By default the Trojan uses TCP port 27374, but this is configurable by the configuration program.

It is normally distributed as a Win32 PE exe dropper that may be disguised as a JPG or BMP picture. When run, this dropper installs two files into the WINDOWS folder of the user's hard disk. These two files are the main server exe files, normally called "MSREXE.EXE", and a loader program normally called "RUN.EXE", "WINDOS.EXE" or "MUEEXE.EXE".

These filenames are only the default names and can be changed by the trojan's configuration program. The main server exe file is identified as "BackDoor-G2.svr" or "BackDoor-G2.svr.gen". The loader program is identified as "BackDoor-G2.ldr".

Two other files are associated with this trojan the configuration program and the client program used to communicate with the main server program. These are identified as BackDoor-G2.cfg and BackDoor-G2.cli respectively. These files do not hook the operating system and may be safely deleted if detected on the system.

Indications Of Infection:

Files copied to the local system as mentioned above, changes to system registry as mentioned above, strange or unexplained dialogue boxes on the machine with coversation or keystrokes entered without your interaction.

Method Of Infection:

The trojan hooks into the host operating system in one or more of 4 different ways:
1) Adds the name of the main server exe file to the run= line in the [windows] section of WIN.INI.

2) Adds name of the main server exe file to the end of the shell= line in the [boot] section of SYSTEM.INI.

3) Adds the main server exe file to the registry under the keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices\

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

4) Changes the way in which the operating system runs exe files by changing the registry value at
HKEY_CLASSES_ROOT\exefile\shell\open\command\ (Default) from ""%1" %*" to "mueexe.exe "%1" %*".This causes the operating system to run the loader program every time an executable file is launched. The loader program then runs the main server exe (if not already running) file and then runs the executable file requested by the operating system.

The Trojan also registers the file extension .dl as an executable file type that can be run by the operating system just like any .exe file. This allows the attacker to download files onto the victims system and run them. Because the extension is not usually associated with executable files some virus scanners will not scan these files and the victim will not suspect these files.