2007-04-20, 08:52 | Link #1 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Backdoor.Win32.Bifrose.aej trojan remove program?
does anyone know how to remove the trojan
Backdoor.Win32.Bifrose.aej this trojan keeps track on your World of Warcraft acount and password and sends this out to someone.. i've used multiple scanners but they do no pick up the troyan, they simply say that there are 0 threads, however my world of warcraft launcher says that the troyan is on my computer, hence it advises me to remove it when i googled i found out that there were versions of this trojan that were targetted to MiRC, but that is how far as i got.. scanners failed (AVG, NOD32 and FIXWAREOUT) and i was hoping someone here could help me out, thanks in advance! |
2007-04-21, 00:44 | Link #2 |
Love Yourself
Join Date: Mar 2003
Location: Northeast USA
Age: 38
|
Usage of mIRC for relaying information is relatively common for trojans. If you have a tight firewall set to ask you to define rules, you shouldn't be too worried about leaked data (unless you're rather liberal with allowing communications where you're not sure what they are).
I found some information about the virus from Symantec, but the removal instructions might not be too much help for you. I don't know why your three scanners failed you, but based off of a quick Googling, it seems like Symantec and Kapersky should be able to find it. I do not recommend Norton regular edition - it's expensive and bloatware, but if you have access to Corporate Edition, it's decent. Kapersky has a free 30 day trail, and I've used it twice to bail out my roommate's computer (where Norton home edition failed). I'd recommend running it to see if it can find the virus. If it can't, consider reinstalling World of Warcraft - it may be finding false positives. Lastly, a word about virus scanners - more isn't better. If you have three on your system for added security, it's not a bad idea, but make sure that only one of them is running its "auto protect" services at any one time. Otherwise, they can interfere with each other, and you're just asking for major system slowdown.
__________________
|
2007-04-21, 05:06 | Link #3 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
i tried kaspersky, but it didnt find any trojan horses on my computer, i scanned 2 times once in normal mode and once in windows safe mode..
howevr what i am worried about is that acount data of my world of warcraft acount could leak out, aka passowrd and such.. with that people could easely get a hand on my father's credit card number and i dont like the idea of logging in to find my 2 years hard worked characters gone however i am certain that this trojan didnt come in by mirc, my dad plays wow as well and last time he was on was thursday evening and then the warning message hadnt popped up yet, i went behind the pc the next morning thinking i might as well game a little before school.. since i havent been able to do anythign for the entire week (school, work and homework) then i saw the message standing in the launcher and i started scanning etc. i am right ow trying to find it with A Squared Free-edition, but so fa all i got are tracing cookies, nothing more.. afterwards i'll try Symantec, i know that amounth of virus scans do not work, but i install them and scan with them because my own fail at it.. and seemingly many others as well, i uninstall them afterwards and reinstall my original virus scan as for connection, i am using comodo firewall.. but i have no clue on how to configure it.. to be able to download with bittorrent i have to set it on Allow All, before my download rate gets higher than 2, even with bittorrent int he allow sector my download rate wont go past 2 kb/per second when i have it on custom mode.. i asked if someone oculd help me with it earlier but noone responded, i tried google.. but found nothing really.. what i did find strange is that when i looked up information about Bifrose it had a list with files that belong to the trojan, i tried to look for them but i couldnt find anything at all, im thinking of reinstalling world of warcraft as you said, maybe it got errored but first ill check out A Squarred and Sympathec |
2007-04-21, 07:11 | Link #4 |
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
Have you tried AdAware and Spybot Search and Destroy? Both these products were targeting malware well before places like Symantec and McAfee took the problem seriously.
__________________
|
2007-04-21, 07:23 | Link #5 |
INTJ
IT Support
|
Spy Sweeper as well, though it might not do as well as AdAware or Spybot in this department. There's also another program that my friend gave me that works great, but I can't remember what exactly. It's connected to using regedit to fix or delete anything corrupted or added to the registry by the problem. Either way, always install and run (as in scan for problems) the programs in safe mode. I've noticed that if installed other ways, the problem becomes unsusceptible to scans.
|
2007-04-21, 07:44 | Link #6 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
yep ive tried all of the above, however i recently found out that people are able to find it with KasperSky, how they managed to find it i dontknow, im right now deepscanning again with Kaspersky but at 67% it still found nothing, i will deep scan again in safe mode once it is finished with this scan...
what i did wonder is what kind of scan you would normally use for finding the location of trojans, im right now using the normal scan but seleted every single drive, my documents etc. (in other words everything in My Computer), i did that before but i found nothing, before that i did the critical area scan and start up objects... the program Takuya probable means is Spy Doctor.. i tried that yesterday as well.. im now trying to get contact with those players that managed to get the file of their disc by using KasperSky, maybe they can provide me information as of what scan they used and to their scan report |
2007-04-21, 07:54 | Link #7 |
INTJ
IT Support
|
No. It's not Spy Doctor. It's a program that isn't well-known at all. It's barely even automated. When I last used it, I merely had it search and list out the suspect registry to fix and I manually did so via regedit while in safe mode.
I haven't read up information on Backdoor.Win32.Bifrose.aej, but it sounds like it's the type to embed itself into the OS (probably via registry) so most programs will overlook it. Of course, if this was the case and I was the one being affected by it, Spy Sweeper would have instantly informed me of what it's doing and depending how severe of a damage it's already attempting to cause, Spy Sweeper will either quarantine and delete it, or inform me and ask me whether to permit it to run its functions or not. |
2007-04-21, 10:56 | Link #8 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
the trojan hides itself in your registry, that is correct one of the file names it uses is System.DLL however i have 3 in my seach results and they are also neded to runyour pc for that reason i am not going to randomly delete one..
it still hasnt been removed, im now going to drop by on another forum, a tech support forum and see if they can do anything there, i tried scanning with KasperSky as i said before but it didnt find anything, in normal mode nor windows safe mode.. im thinking of dropping the pc of for repairs at a colleage of my dads who woks in a pc repair shop as well.. he should be able to sort it out, i however am going to find the idiot who made this trojan and i will stone him! |
2007-04-21, 12:51 | Link #9 |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
I've only found system.dll in "Microsoft.Net" and "assembly" folders (maybe that helps you to determine which is the bad one).
Trojans and virii are usually detected through so called signatures. These signatures are basically a fingerprint of the virus/trojan. However, some signatures cause false positives, the scanners detect something as malicious which actually isn't. Though it is hard to absolutely know for sure that there is a false positive at hand. Because there exist another thing, polymorphic virii/trojans (code that mutates while keeping the original algorithm intact). That can be done by humans or fully automatic... well, the important thing to know is, that such virii/trojans may alter their fingerprint. In that case probabilistic and heuristic methods can find such virii/trojans (or if they are not completely polymorphic, using a signature of the parts that stay always the same). Similar to algrothims like Monte Carlo which uses indeterministic elements, such methods are used where a lucky choice can find the correct result. Such algorithms will likely find the correct result the longer they run (repetition is the key to success here). Heuristics play an important role to keep the number of loops small. One good thing is, that they are pseudo random... that means with the same seed, and same input they will behave deterministic. (hm, I have the feeling I drifted too deep into theory now...) Well, lets hope its only a false positive in your case (otherwise you have to wait for virus database update that includes the signature of your special trojan, or you have to use probabilistic/heuristic methods, or reformat your system partition, or find it through other means [1]) [1] trojans try to communicate their results somewhere. Many firewalls offer the ability to define trusted and untrusted programs (and such that are unknown - with request). So look inside the tracer of your firewall (if you have one), which programs are trying to communicate while doing the account login and stuff. If there is something popping up (except wow)... I'ld focus my research on that program. edit: Phantom-Takaya is possibly referring to hijackthis (listing suspicious registry entries).
__________________
|
2007-04-21, 13:15 | Link #10 |
INTJ
IT Support
|
That is correct Jinto_Lin. For some reason, the name was eluding me last night.
Jinto_Lin is right. Make sure your firewall is set to ask you whether to allow or deny certain programs to upload (or even download) things. It's annoying at first since it would constantly ask you what you would like to do for each program that requires an internet connection, but it will eventually lessen since it gives you the option to tell the firewall to store each choice you make. One great perk to doing it this way is that not only will it alert you the programs that use your connection, but it also alerts alerts you other files that do so as well. Some dll files will also attempt to use the internet connection and that's when it usually becomes questionable and you should be alerted for. I heavily emphasis on resolving the problem in safe mode with the sole reason of the fact that it won't be able to use any available networking at the very least. Another good reason, though it is not always the case, is that some of these trojans and virii are prevented to properly "activate" due to said algorithms require certain conditions to be active that safe mode currently has disabled. I even recommend installing any firewall, virus scanners and any other utilities in safe mode. |
2007-04-21, 14:17 | Link #11 | |||
Love Yourself
Join Date: Mar 2003
Location: Northeast USA
Age: 38
|
The virus communicates THROUGH IRC. Many viruses do - they log your computer on to an IRC network and channel, and through that they either give information to the hacker sitting in there, or they can receive commands through there. It doesn't have anything to do with whether you use mIRC, or if you even have it installed or not.
Quote:
Quote:
For those reasons, when it comes to security, being a bit paranoid can pay off. Don't consider your virus scanners to be a save-all, because in most cases, they aren't. Make sure that your system is secure, and to be safe, doubt your security every once in a while and try testing your setup against a site like grc.com's Shields Up. If you find an open port, manually set your firewall to close it. Quote:
__________________
|
|||
2007-04-21, 15:57 | Link #12 |
Senior Member
Join Date: Dec 2004
Location: Portugal
Age: 44
|
Maybe installing the OS again and then install firewall and AV before connecting to the net. Once virus have infected some critical files in your system you might has well install the OS. You won't have to stress out if there are still traces of it somewhere.
|
2007-04-21, 22:32 | Link #13 |
INTJ
IT Support
|
Depending on the severity of the issues that it's causing, that would be one route to be taken, and not a very fun one. It takes quite a while (typically a day or more, depending on how much things you have to reinstall) to "restore" your computer back to normal. If you have no other options left and have to take that route, I highly advice you install your firewall, anti-viruses, pop-up blockers, spyware blockers, etc. in safe mode without networking. Also periodically have them scan your computer in safe mode out of safety's sake. Just keep in mind: Utilities = Safe Mode, Everything Else = Normal.
|
2007-04-22, 08:40 | Link #14 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
i would like to let you guys know that the trojan is gone, how i did it i have no idea.. i was scanning yesterday with several other scanners, all of them deleted some thing *not sure what they deleted* and when i checked this morning the message stopped popping up indicating that the trojan is gone, did several more scans to be certain and nothing was found hooray!
thanks for all your help btw! *just saw the spiler wrap funtion* wooth thats new, yay! |
Thread Tools | |
|
|