AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > Support > Tech Support

Notices

Reply
 
Thread Tools
Old 2007-04-20, 08:52   Link #1
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
Backdoor.Win32.Bifrose.aej trojan remove program?

does anyone know how to remove the trojan

Backdoor.Win32.Bifrose.aej

this trojan keeps track on your World of Warcraft acount and password and sends this out to someone.. i've used multiple scanners but they do no pick up the troyan, they simply say that there are 0 threads, however my world of warcraft launcher says that the troyan is on my computer, hence it advises me to remove it

when i googled i found out that there were versions of this trojan that were targetted to MiRC, but that is how far as i got..

scanners failed (AVG, NOD32 and FIXWAREOUT) and i was hoping someone here could help me out, thanks in advance!
-KarumA- is offline   Reply With Quote
Old 2007-04-21, 00:44   Link #2
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 38
Usage of mIRC for relaying information is relatively common for trojans. If you have a tight firewall set to ask you to define rules, you shouldn't be too worried about leaked data (unless you're rather liberal with allowing communications where you're not sure what they are).

I found some information about the virus from Symantec, but the removal instructions might not be too much help for you. I don't know why your three scanners failed you, but based off of a quick Googling, it seems like Symantec and Kapersky should be able to find it. I do not recommend Norton regular edition - it's expensive and bloatware, but if you have access to Corporate Edition, it's decent.

Kapersky has a free 30 day trail, and I've used it twice to bail out my roommate's computer (where Norton home edition failed). I'd recommend running it to see if it can find the virus. If it can't, consider reinstalling World of Warcraft - it may be finding false positives.

Lastly, a word about virus scanners - more isn't better. If you have three on your system for added security, it's not a bad idea, but make sure that only one of them is running its "auto protect" services at any one time. Otherwise, they can interfere with each other, and you're just asking for major system slowdown.
__________________
Ledgem is offline   Reply With Quote
Old 2007-04-21, 05:06   Link #3
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
i tried kaspersky, but it didnt find any trojan horses on my computer, i scanned 2 times once in normal mode and once in windows safe mode..

howevr what i am worried about is that acount data of my world of warcraft acount could leak out, aka passowrd and such.. with that people could easely get a hand on my father's credit card number and i dont like the idea of logging in to find my 2 years hard worked characters gone

however i am certain that this trojan didnt come in by mirc, my dad plays wow as well and last time he was on was thursday evening and then the warning message hadnt popped up yet, i went behind the pc the next morning thinking i might as well game a little before school.. since i havent been able to do anythign for the entire week (school, work and homework) then i saw the message standing in the launcher and i started scanning etc.

i am right ow trying to find it with A Squared Free-edition, but so fa all i got are tracing cookies, nothing more..
afterwards i'll try Symantec, i know that amounth of virus scans do not work, but i install them and scan with them because my own fail at it.. and seemingly many others as well, i uninstall them afterwards and reinstall my original virus scan

as for connection, i am using comodo firewall.. but i have no clue on how to configure it.. to be able to download with bittorrent i have to set it on Allow All, before my download rate gets higher than 2, even with bittorrent int he allow sector my download rate wont go past 2 kb/per second when i have it on custom mode.. i asked if someone oculd help me with it earlier but noone responded, i tried google.. but found nothing really..

what i did find strange is that when i looked up information about Bifrose it had a list with files that belong to the trojan, i tried to look for them but i couldnt find anything at all, im thinking of reinstalling world of warcraft as you said, maybe it got errored but first ill check out A Squarred and Sympathec
-KarumA- is offline   Reply With Quote
Old 2007-04-21, 07:11   Link #4
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Age: 74
Have you tried AdAware and Spybot Search and Destroy? Both these products were targeting malware well before places like Symantec and McAfee took the problem seriously.
SeijiSensei is offline   Reply With Quote
Old 2007-04-21, 07:23   Link #5
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
Spy Sweeper as well, though it might not do as well as AdAware or Spybot in this department. There's also another program that my friend gave me that works great, but I can't remember what exactly. It's connected to using regedit to fix or delete anything corrupted or added to the registry by the problem. Either way, always install and run (as in scan for problems) the programs in safe mode. I've noticed that if installed other ways, the problem becomes unsusceptible to scans.
Phantom-Takaya is offline   Reply With Quote
Old 2007-04-21, 07:44   Link #6
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
yep ive tried all of the above, however i recently found out that people are able to find it with KasperSky, how they managed to find it i dontknow, im right now deepscanning again with Kaspersky but at 67% it still found nothing, i will deep scan again in safe mode once it is finished with this scan...

what i did wonder is what kind of scan you would normally use for finding the location of trojans, im right now using the normal scan but seleted every single drive, my documents etc. (in other words everything in My Computer), i did that before but i found nothing, before that i did the critical area scan and start up objects...

the program Takuya probable means is Spy Doctor.. i tried that yesterday as well.. im now trying to get contact with those players that managed to get the file of their disc by using KasperSky, maybe they can provide me information as of what scan they used and to their scan report
-KarumA- is offline   Reply With Quote
Old 2007-04-21, 07:54   Link #7
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
No. It's not Spy Doctor. It's a program that isn't well-known at all. It's barely even automated. When I last used it, I merely had it search and list out the suspect registry to fix and I manually did so via regedit while in safe mode.

I haven't read up information on Backdoor.Win32.Bifrose.aej, but it sounds like it's the type to embed itself into the OS (probably via registry) so most programs will overlook it. Of course, if this was the case and I was the one being affected by it, Spy Sweeper would have instantly informed me of what it's doing and depending how severe of a damage it's already attempting to cause, Spy Sweeper will either quarantine and delete it, or inform me and ask me whether to permit it to run its functions or not.
Phantom-Takaya is offline   Reply With Quote
Old 2007-04-21, 10:56   Link #8
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
the trojan hides itself in your registry, that is correct one of the file names it uses is System.DLL however i have 3 in my seach results and they are also neded to runyour pc for that reason i am not going to randomly delete one..

it still hasnt been removed, im now going to drop by on another forum, a tech support forum and see if they can do anything there, i tried scanning with KasperSky as i said before but it didnt find anything, in normal mode nor windows safe mode.. im thinking of dropping the pc of for repairs at a colleage of my dads who woks in a pc repair shop as well.. he should be able to sort it out, i however am going to find the idiot who made this trojan and i will stone him!
-KarumA- is offline   Reply With Quote
Old 2007-04-21, 12:51   Link #9
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
I've only found system.dll in "Microsoft.Net" and "assembly" folders (maybe that helps you to determine which is the bad one).

Trojans and virii are usually detected through so called signatures. These signatures are basically a fingerprint of the virus/trojan. However, some signatures cause false positives, the scanners detect something as malicious which actually isn't. Though it is hard to absolutely know for sure that there is a false positive at hand. Because there exist another thing, polymorphic virii/trojans (code that mutates while keeping the original algorithm intact). That can be done by humans or fully automatic... well, the important thing to know is, that such virii/trojans may alter their fingerprint. In that case probabilistic and heuristic methods can find such virii/trojans (or if they are not completely polymorphic, using a signature of the parts that stay always the same). Similar to algrothims like Monte Carlo which uses indeterministic elements, such methods are used where a lucky choice can find the correct result. Such algorithms will likely find the correct result the longer they run (repetition is the key to success here). Heuristics play an important role to keep the number of loops small. One good thing is, that they are pseudo random... that means with the same seed, and same input they will behave deterministic. (hm, I have the feeling I drifted too deep into theory now...)

Well, lets hope its only a false positive in your case (otherwise you have to wait for virus database update that includes the signature of your special trojan, or you have to use probabilistic/heuristic methods, or reformat your system partition, or find it through other means [1])

[1] trojans try to communicate their results somewhere. Many firewalls offer the ability to define trusted and untrusted programs (and such that are unknown - with request). So look inside the tracer of your firewall (if you have one), which programs are trying to communicate while doing the account login and stuff. If there is something popping up (except wow)... I'ld focus my research on that program.

edit:

Phantom-Takaya is possibly referring to hijackthis (listing suspicious registry entries).
__________________
Folding@Home, Team Animesuki
Jinto is offline   Reply With Quote
Old 2007-04-21, 13:15   Link #10
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
That is correct Jinto_Lin. For some reason, the name was eluding me last night.

Jinto_Lin is right. Make sure your firewall is set to ask you whether to allow or deny certain programs to upload (or even download) things. It's annoying at first since it would constantly ask you what you would like to do for each program that requires an internet connection, but it will eventually lessen since it gives you the option to tell the firewall to store each choice you make. One great perk to doing it this way is that not only will it alert you the programs that use your connection, but it also alerts alerts you other files that do so as well. Some dll files will also attempt to use the internet connection and that's when it usually becomes questionable and you should be alerted for.

I heavily emphasis on resolving the problem in safe mode with the sole reason of the fact that it won't be able to use any available networking at the very least. Another good reason, though it is not always the case, is that some of these trojans and virii are prevented to properly "activate" due to said algorithms require certain conditions to be active that safe mode currently has disabled. I even recommend installing any firewall, virus scanners and any other utilities in safe mode.
Phantom-Takaya is offline   Reply With Quote
Old 2007-04-21, 14:17   Link #11
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 38
Quote:
Originally Posted by -KarumA- View Post
however i am certain that this trojan didnt come in by mirc
The virus communicates THROUGH IRC. Many viruses do - they log your computer on to an IRC network and channel, and through that they either give information to the hacker sitting in there, or they can receive commands through there. It doesn't have anything to do with whether you use mIRC, or if you even have it installed or not.

Quote:
i am right ow trying to find it with A Squared Free-edition, but so fa all i got are tracing cookies, nothing more..
Don't go installing random security software. I've never heard of that one, but you mentioned Spy Doctor farther down in your post. Partially due to the security craze affecting Windows, many companies create average products with "free trials" designed to draw you in (they may find things, but to remove them, you'll have to buy the product). You're just junking up your system with them, and if they behave like most other security software, they're a pain to remove. When it comes to security software, try to use only those recommended by word of mouth, rather than advertising.

Quote:
as for connection, i am using comodo firewall.. but i have no clue on how to configure it.. to be able to download with bittorrent i have to set it on Allow All
I'd recommend learning how, at least a little. I've used Comodo, and its interface isn't too cryptic. Just spend about five minutes and I'm sure you'll be able to figure it out. I don't recommend using "Allow All" unless you're behind a router (and even then, if you can help it, don't do it). The reason is that there are many viruses today that can infect you through your system's open ports - it doesn't require any interaction on your part. Once you're infected, it's a big pain to recover your system, in most cases. In my opinion, even virus scanners are relatively useless - their only real use is for catching infections before they happen. Once you're infected, I think most anti-virus software is relatively useless about "cleaning" files. They can delete files in most cases, but so can you.

For those reasons, when it comes to security, being a bit paranoid can pay off. Don't consider your virus scanners to be a save-all, because in most cases, they aren't. Make sure that your system is secure, and to be safe, doubt your security every once in a while and try testing your setup against a site like grc.com's Shields Up. If you find an open port, manually set your firewall to close it.

Quote:
what i did find strange is that when i looked up information about Bifrose it had a list with files that belong to the trojan, i tried to look for them but i couldnt find anything at all, im thinking of reinstalling world of warcraft as you said, maybe it got errored but first ill check out A Squarred and Sympathec
There are a number of BitFrost variants. It's possible that some of them use different files/directories. If it isn't a huge deal, do a clean install of WoW (delete or back up (move) your old files, and then install). I don't play WoW and don't know how much personal data is stored on your system, but don't go deleting it if it'll wipe out some of your personal settings. Delete everything except for those files controlling settings, if possible.
__________________
Ledgem is offline   Reply With Quote
Old 2007-04-21, 15:57   Link #12
Tiberium Wolf
Senior Member
 
 
Join Date: Dec 2004
Location: Portugal
Age: 44
Maybe installing the OS again and then install firewall and AV before connecting to the net. Once virus have infected some critical files in your system you might has well install the OS. You won't have to stress out if there are still traces of it somewhere.
Tiberium Wolf is offline   Reply With Quote
Old 2007-04-21, 22:32   Link #13
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
Depending on the severity of the issues that it's causing, that would be one route to be taken, and not a very fun one. It takes quite a while (typically a day or more, depending on how much things you have to reinstall) to "restore" your computer back to normal. If you have no other options left and have to take that route, I highly advice you install your firewall, anti-viruses, pop-up blockers, spyware blockers, etc. in safe mode without networking. Also periodically have them scan your computer in safe mode out of safety's sake. Just keep in mind: Utilities = Safe Mode, Everything Else = Normal.
Phantom-Takaya is offline   Reply With Quote
Old 2007-04-22, 08:40   Link #14
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
i would like to let you guys know that the trojan is gone, how i did it i have no idea.. i was scanning yesterday with several other scanners, all of them deleted some thing *not sure what they deleted* and when i checked this morning the message stopped popping up indicating that the trojan is gone, did several more scans to be certain and nothing was found hooray!

thanks for all your help btw!

*just saw the spiler wrap funtion* wooth thats new, yay!
-KarumA- is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 20:00.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
We use Silk.