Backdoor.beastdoor.205 problem
Results 1 to 8 of 8

Thread: Backdoor.beastdoor.205 problem

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    3

    Backdoor.beastdoor.205 problem

    I have an infection on a computer at my work, I got it scanned with an OUTSIDE source, and it was called Backdoor.Beastdoor.205, I can not find any information on this virus, or any effective removal methods.

    as a VERY last resort I will do a format, but I do not want to come to that as of the data on the computer and no way to back it up.

    any help would be appreciated, thank you.

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    A quick google search turned up this

    What program did you use to scan and find this virus?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    Junior Member
    Join Date
    Jan 2004
    Posts
    3
    I used F-secure, and now no AV's run on the comp, I looked through the reg, and there are no changes, I found one file svchost.exe that is running outside of the windows/system/ folder, it has a different Icon (atom) is under the process list, as run by the user, I can cancel the process, and I can get AVG to work ( wont find anything) but F-Secure wont run on it, I clean the reg, and remove the file, restart, it comes back.

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    hrm... sounds like there are two processes running with this variant of the virus. Each process checks to see if the other is running, and if not, starts it up again. Take a very close look at your running processes and make sure that you know what each and every one of them does. It is quite normal to have one or more instances of svchost running.

    Also check to make sure you have up to date virus definitions. This virus is listed in some definition files, however the link I providwed above states that it will not be included in a release version of that AV product until February 2004.

    If this virus isn't listed in definition files you're going to have to remove it by hand. Figure out which processes it is running. It may have ingfected an otherwise legit process which is now running it as a subroutine, so you may need to copy all your system files from CD to fix that. Maybe a "repair installation" option exists for your OS.

    How many files are infected?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    You might try:

    http://www.pandasoftware.com/ and run their online scanner (Activescan....left hand side at bottom) They have about two dozen variants of Beastdoor in their database, so they should be a good bet? Unfortunately different AVs handle different threats at any one point in time

    Unfortunately this is a RAT (Remote Access Trojan) so you have been "owned". The only safe solution in these circumstances is to reformat and re-install, as you never know what other "goodies" might have been loaded onto your machine?

    Remember that if your OS does automatic backup/restore you will have to clear this as well as AVs can't do that. Just follow tha AV provider's instructions.

    Good Luck
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Have you bothered reading this?

    http://www.sophos.com/support/disinfection/trojan.html

    gr8 place to start..

    or here is some info on the server/client
    http://www.megasecurity.org/trojans/...Beast2.05.html

    have fun..

    BTW.. all from Google..

    Try it some time it it is gr8 m8

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    Member
    Join Date
    Oct 2002
    Posts
    36
    in order to detect it you can use tools such as :

    1.) fport.exe (shows you the outgoing open prots and the processes of thouse ports)
    2.) pm.exe will detect all hiddent processes e.g rootkits , API trojans etc...
    3.) www.megasecurity.org here u will find the descriptions of all (almost) available trojans...
    4.) a good antivirus (F-Secure) visus scan your machine over the netword......coz your AV might be corrupted (modified in favour of an attacker

  8. #8
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    From Sophos: Detection
    A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
    At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.


    Description
    Troj/Beastdo-M is a backdoor Trojan which creates several invisible threads within other processes which allow unauthorised remote access to the computer over a network.
    The Trojan moves itself to either the Windows or Windows\System folder as a file of the form MS????.COM where question marks denote random characters. It also copies itself to the Windows\Command folder (under Windows 95/98/Me) or the Windows msagent folder (under systems based on Windows NT) as MSCVNK.COM.

    The Trojan adds to the following registry entries to run itself on system restart:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    and

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Troj/Beastdo-M also points the following entry in the registry to a copy of the Trojan:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Systemb

    The Trojan drops a DLL component within the Windows folder that has the default filname of DXDGNS.DLL though this can be redefined by the user.

    Troj/Beastdo-M may open a port on the computer that listens for commands from a remote location. The number of the port is again determined by the Trojan user.

    Under Windows 95/98/Me the Trojan includes its own code within the running processes SYSTRAY.EXE and IEXPLORER.EXE, EXPLORER.EXE or any other executable that may be chosen by the user. Under systems based on Windows NT the process WINLOGON.EXE is used instead of SYSTRAY.EXE.

    Troj/BeastDo-M creates the registry entry

    HKCU\Software\Microsoft\RAS Autodial\Control\LoginSessionDisable = 1

    The Trojan may attempt to send a confirmation email message to an external address.


    Recovery
    Please follow the instructions for removing Trojans.

    Windows NT/2000/XP/2003

    In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

    Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE entry:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    and remove any reference to any file you deleted.

    Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

    HKU\[code number]\Software\Microsoft\Windows\
    CurrentVersion\Run\

    and remove any reference to any file you deleted.

    Close the registry editor and reboot your computer.
    "It is a shame that stupidity is not painful" - Anton LaVey

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •