Backdoor.beastdoor.205 problem

[Onslaught_Zero]

I have an infection on a computer at my work, I got it scanned with an OUTSIDE source, and it was called Backdoor.Beastdoor.205, I can not find any information on this virus, or any effective removal methods.

as a VERY last resort I will do a format, but I do not want to come to that as of the data on the computer and no way to back it up.

any help would be appreciated, thank you.

[Striek]

A quick google search turned up this

What program did you use to scan and find this virus?

[Onslaught_Zero]

I used F-secure, and now no AV's run on the comp, I looked through the reg, and there are no changes, I found one file svchost.exe that is running outside of the windows/system/ folder, it has a different Icon (atom) is under the process list, as run by the user, I can cancel the process, and I can get AVG to work ( wont find anything) but F-Secure wont run on it, I clean the reg, and remove the file, restart, it comes back.

[Striek]

hrm... sounds like there are two processes running with this variant of the virus. Each process checks to see if the other is running, and if not, starts it up again. Take a very close look at your running processes and make sure that you know what each and every one of them does. It is quite normal to have one or more instances of svchost running.

Also check to make sure you have up to date virus definitions. This virus is listed in some definition files, however the link I providwed above states that it will not be included in a release version of that AV product until February 2004.

If this virus isn't listed in definition files you're going to have to remove it by hand. Figure out which processes it is running. It may have ingfected an otherwise legit process which is now running it as a subroutine, so you may need to copy all your system files from CD to fix that. Maybe a "repair installation" option exists for your OS.

How many files are infected?

[nihil]

You might try:

http://www.pandasoftware.com/ and run their online scanner (Activescan....left hand side at bottom) They have about two dozen variants of Beastdoor in their database, so they should be a good bet? Unfortunately different AVs handle different threats at any one point in time

Unfortunately this is a RAT (Remote Access Trojan) so you have been "owned". The only safe solution in these circumstances is to reformat and re-install, as you never know what other "goodies" might have been loaded onto your machine?

Remember that if your OS does automatic backup/restore you will have to clear this as well as AVs can't do that. Just follow tha AV provider's instructions.

Good Luck

[Und3ertak3r]

Have you bothered reading this?

http://www.sophos.com/support/disinfection/trojan.html

gr8 place to start..

or here is some info on the server/client
http://www.megasecurity.org/trojans/...Beast2.05.html

have fun..

BTW.. all from Google..

Try it some time it it is gr8 m8

Cheers

[karavay]

in order to detect it you can use tools such as :

1.) fport.exe (shows you the outgoing open prots and the processes of thouse ports)
2.) pm.exe will detect all hiddent processes e.g rootkits , API trojans etc...
3.) www.megasecurity.org here u will find the descriptions of all (almost) available trojans...
4.) a good antivirus (F-Secure) visus scan your machine over the netword......coz your AV might be corrupted (modified in favour of an attacker

[Wazz]

From Sophos: Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.


Description
Troj/Beastdo-M is a backdoor Trojan which creates several invisible threads within other processes which allow unauthorised remote access to the computer over a network.
The Trojan moves itself to either the Windows or Windows\System folder as a file of the form MS????.COM where question marks denote random characters. It also copies itself to the Windows\Command folder (under Windows 95/98/Me) or the Windows msagent folder (under systems based on Windows NT) as MSCVNK.COM.

The Trojan adds to the following registry entries to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Troj/Beastdo-M also points the following entry in the registry to a copy of the Trojan:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Systemb

The Trojan drops a DLL component within the Windows folder that has the default filname of DXDGNS.DLL though this can be redefined by the user.

Troj/Beastdo-M may open a port on the computer that listens for commands from a remote location. The number of the port is again determined by the Trojan user.

Under Windows 95/98/Me the Trojan includes its own code within the running processes SYSTRAY.EXE and IEXPLORER.EXE, EXPLORER.EXE or any other executable that may be chosen by the user. Under systems based on Windows NT the process WINLOGON.EXE is used instead of SYSTRAY.EXE.

Troj/BeastDo-M creates the registry entry

HKCU\Software\Microsoft\RAS Autodial\Control\LoginSessionDisable = 1

The Trojan may attempt to send a confirmation email message to an external address.


Recovery
Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor and reboot your computer.