Backdoor Trojans
Background Information
Examples of backdoor trojans are Netbus or Back Orifice. They allow other
people to control your computer over the Internet. When you run a program
that contains the Backdoor trojan, it will copy itself to the Windows or
Windows\System directory and add itself to the system's registry. Trojans are
usually claimed to be some sort of desirable program. For example, one
popular trojan wrapper is a game called "Whack a Mole". Another is a game
call "Pie Bill Gates". Once the program is in
memory, it tries to hide itself on the task list. It doesn't show any icon or
indication that it is running. It listens on a port until someone connects.
The person who is controlling your computer uses a program that lets them
record keystrokes, view files, move the mouse, open and close the CD-ROM,
etc. Sometimes, the trojan is customized so that the person who planted it
gets an e-mail when you run it.
Removal
The trojan tries to make itself hard to remove. For Back Orifice, it uses a
file with a name that shows usually shows up as " .EXE" Sometimes it uses a
name like "MSGSRV32.DRV". Windows prevents deleting the trojan file while it
is active. Some of the regular antivirus software can find these trojans and
delete them while Windows is not running. The antivirus program should find
at least one EXE or DRV file containing the trojan. If it finds a .DLL file,
then it is just an add-on to the trojan that provides extra features. If you
decide to use a single purpose trojan remover, then be cautious. Sometimes
trojans are disguised as trojan removers. For example, SynTax Back Orifice
Remover and BOSniffer are all Back Orifice.
A program imitating Antigen named Trojan.Win32.Antigen claims to
remove Back Orifice but is actually a program that steals passwords.
There are legitimate Anti-Trojan programs, but make sure you get
recommendations
from people who have tried them and download them directly from the author's
site.
You can also remove it from the registry manually. Click Start,
then Run, then type regedit in the text box, then click OK. Click
HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then
CurrentVersion. Check under Run and RunServices for any suspicious-looking
files. Some files are Normally under this part of the registry. They are
Rundll32.exe, systray.exe, scanregw.exe, taskmon.exe, mstask.exe.
There are also some other files that are legitimate parts of the registry.
The trojan will usually be in the Windows or Windows\System folder.
Netbus is by default called patch.exe and the command ends in "/nomsg".
Back Orifice could be called " .EXE" or another file in RunServices.
Remember that someone could rename them to a different name. Usually they
are given a technical-sounding name like "MSGSRV32.DRV" or "TCP.DRV".
Instead of guessing which one is a trojan, see if your antivirus program will pick it up.
If it doesn't detect it, send a sample of the program(s) you supect are the
virus to your antivirus producer's submission address.
Select the entry that loads the trojan and press
delete. Click Yes. Close regedit. You will now be able to delete the trojan.
Special instructions for difficult trojans, especially "Pretty Park" and
BackDoor-G.ldr ("Sub seven"):
Download the UNDO.ZIP file and unzip it with a program
like WinZip. Double click the undo.reg file
to import it into the registry.
For the curious, the contents of the REG file are:
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"
Click Start,
then Run, then type "c:\windows\win.ini" in the text box, then click OK.
Scroll down to the line that begins with "run=" and if it loads the trojan program,
delete it.
Click Start,
then Run, then type "c:\windows\system.ini" in the text box, then click OK.
Scroll down to the line that begins with "shell=" and if it loads the trojan program,
be very careful to delete only the part that loads the trojan. After you are done
the shell= should look like this:
shell=Explorer.exe
Close notepad and save your changes.
Reboot your computer. The trojan will no
longer be active. Then you will be able to delete it from inside Windows.
Just go to the folder where the file resides and send it to the recycle bin.
Need more info an a certain trojan? Comments or suggestions?
Mail me
Virus Page