[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <002a01c42a8d$2e444d40$0100a8c0@cparena1consol>
From: cheekypeople at sec33.com (Lee)
Subject: Looking for BKDR_IRCFLOOD.X
BKDR_IRCFLOOD.X is a dropper program that creates a folder (which I can'
find) and creates an autorun registry entry that allows it to execute on
every system startup.
Below is taken from the MIRC Forums, hope it helps!
Lee @ STS
http://www.seethrusec.co.uk
Building Knowledge and Security..
http://trout.snt.utwente.nl/ubbthreads/showthreaded.php?Cat=&Board=generaldiscussion&Number=82509&page=0&view=collapsed&sb=5&o=14&vc=1
In an attempt to stop people asking if they're infected or not, please read
this before posting anymore! - This is just a summary of everything I can
think of, gathered from other people's good advice throughout this thread
and some areas off this thread.
Question: What's this all about?
People are finding that, when using Trendmicro's Housecall virus scan they
are experiencing a virus detection of malware.Bkdr_Ircflood.X. CtrlAltDel
posted a link to more technical information about this infection.
ParaBrat has pointed out before, there are two main issues with this
situation:
1) Trendmicro virus scan is detecting that you are infected with
malware.Bkdr_Ircflood.X. If this is the case, clean your system exactly as
is told to you by Trendmicro.
2) Trendmicro virus scan is detecting that you are infected with
malware.Bkdr_Ircflood.X and you have followed all of the instructions and
you can't find any of the problems that it says you should have OR you
scanned before, and cleaned everything, and it still detects you as
infected.
I suggest you use the resources in this thread and choose an antivirus or
trojan scanner other than Trendmicro. I would personally recommend AVG, The
Cleaner AND Ad-Aware.
If ALL 3 of these programs say you are not infected with any backdoors (or
at least not with malware.Bkdr_Ircflood.X) then I would say you are not
infected and Trendmicro is wrongly detecting you as being infected. If they
DO detect that you are infected then you may not have followed the
instructions properly or Trendmicro may not have detected all strains
(versions) of the virus on your computer - so use those programs to remove
the program, reboot, and once again scan with those 3 programs to ensure
non-infection.
If you are finding that Trendmicro is detecting this virus and NO other
virus scanners are, then it is fairly safe to assume you are not infected.
Please remember, we cannot tell you if you're infected or not, you must scan
for yourself! We cannot tell if Trendmicro is or is not properly detecting
the virus.
Question: How did I get infected?
This obviously only applies if there was actually an infection detected.
Sparta made some good suggestions as to how people can get infected:
- You could have got this through an email attachment. It's a good idea
never to open email attachments without scanning them with a virus scanner
first, even if an email is from one of your friends (I have seen a lot of
people say their "friends" have planted trojans on their computers for a bit
of fun. It may be fun for them, but if they shut down your computer every 5
minutes, or accidentally delete an important system file because they don't
know what they are doing, it might not be so fun for you!)
- You may have visited a website which has exploited you and planted this
virus on your computer. It's best not to go to websites when you're not 100%
certain of what's on them. You could visit a website and it automatically
starts to download something - NO legitimate website on the entire Internet
will do this, if you can, stop the download immediately.
- You may have installed a program recently that contains it. For your own
security you should not install programs unless you know they are perfectly
safe - this may include checking up on their security certificates and the
company who has signed the download.
The above 3 ways could have happened even if you have not used IRC for a
number of days, weeks, months of even years, and you are just coming back to
using IRC. However, there are general computer safety guidelines you should
follow, and also very IRC-specific guidelines you should follow to ensure
you remain safe from viruses and you keep your private information private.
Those may include:
- NEVER accepting files from people on IRC. Only accept files from trusted
friends, 'trusted' meaning you've known them for months if not years, not
because they've been nice to you for a few hours.
- NEVER typing suspicious things that people tell you to type, especially if
they contain //write $decode or any other long form of what appears to be a
jumble of letters and numbers.
- ALWAYS having an antivirus installed on your computer. If they have
auto-protect features then have it enabled.
- ALWAYS having the latest updates from www.windowsupdate.com.
- ALWAYS having the latest version of your software. mIRC is an important
one to have updated to avoid any exploits that may be found. You can always
get the most up to date version at www.mirc.com/get.html.
The above should help you protect yourself from further infection. This does
not mean it's impossible for you to be infected, so don't disregard any
warnings that Antivirus programs give you, but it gives you a good chance at
not getting infected
Question: So what's being done about this?
Trendmicro emailed ytytyt and told him that their 'virus doctors' are
looking into the situation. They also said to add mIRC.exe, for now, into
your Exception List so that Trendmicro does not detect a virus in it. See
this page for details.
Until there is another reply from Trendmicro nobody can give a definite
answer as to whether or not this is a 100% certain "false positive" in
Trendmicro. There is also very little we can do, as IRC users, other than
wait.
Question: Shall I stop using Trendmicro? Delete it?
No - Let's not forget Trendmicro is still a good virus scanner and highly
recommended by many websites, virus help channels and many IRC helpers.
There does seem to be a slight glitch in how it scans mIRC, but other than
that, it's good at picking up viruses and is a good addition to your
computer!
That said, do remember as always, no ONE virus scanner can detect, protect
and remove every virus threat - new viruses are released into the wild
everyday, there are hundreds of different types of viruses, trojans,
backdoors etc. You need at least 2-3 virus/trojan scanners on your computer
for effective protection.
Conclusion:
1) Scan your computer with Trendmicro.
2) If malware.Bkdr_Ircflood.X is detected, clean it.
3) After a reboot and following instructions carefully, scan again.
4) If Trendmicro continues to detect 'malware.Bkdr_Ircflood.X' use 2-3 other
programs to scan your computer
5) If they find nothing, you're probably not infected!
6) If they do find something, clean your machine with those programs, reboot
and rescan with those programs.
After that, you should be clean (once and for all!)
I hope this helps those people who browse this thread and prevents them from
needing further help until Trendmicro gets back to someone about this issue
=) - I by no means want to discourage people from posting if they have an
issue, please do if you have more questions, but I think this post and the
other posts throughout this thread answer a lot of questions that have been
repeated and repeated!
Stay safe!
Regards,
Mentality/Chris
----- Original Message -----
From: "Chris Carlson" <chris@...pucounts.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Sunday, April 25, 2004 4:56 AM
Subject: [Full-Disclosure] Looking for BKDR_IRCFLOOD.X
> Several users of an IRC network of mine have been infected with a strange
form of virus, worm, trojan, or other that is causing some rather odd
problems for some. Trend Micro's Pc-Cillin detects the presence of
BKDR_IRCFLOOD.X when mIRC is loaded by these users. I don't know anything
more about the bug or where it came from except that it has evaded all
attempts of these users to be removed. Ad-Aware, the Cleaner and other
similar tools all fail. If you have any information about this, or can
direct me to a binary copy of the bug, please let me know. Thanks.
>
> - Chris
>
> ????????????????????????????????
> * "First they ignore you, then they laugh at you, then they
> fight you, then you win." ~Mahatma Ghandi
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smile.gif
Type: image/gif
Size: 266 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040425/61013f03/smile.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: laugh.gif
Type: image/gif
Size: 262 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040425/61013f03/laugh.gif
Powered by blists - more mailing lists