Infected: Backdoor.Apdoor.c

Home » Windows & System Security » Virus / Spyware Problems and Security... » Infected: Backdoor.Apdoor.c

Rate Topic

Display Mode

Topic Options

Author

Message

Bulldog

Posted 9/10/2003 6:06 PM

Senior Forum Advisor

Group: Senior Advisor
Last Login: 12/4/2005 12:31 AM
Posts: 4,743, Visits: 5

So , here is my story. So far.

Visiting a security/spyware site yesterday, reading a thread when I start getting a script error. Never seen it before. Hmm Me thinks. So I carry on as usual.
Today I was helping someone and needed to reference something in msconfig. There is a new startup entry . C:\WINDOWS\system32\yidvvmc.exe . I think Oh OH....So I start looking everywhere I can think of to find a reference to this file. Scanned it with two AV's. No joy. (cursing the kids for maybe opening an attachment)
I run HT and find it is only in the Run key, no process running. Now I go looking for Metallica, and post my issue on a security forum. Pieter suggests I upload the file and have on online scanner check it.
Welll. This is what it said.
*Current object: yidvvmc.exe
yidvvmc.exe Packed: UPX
yidvvmc.exe Infected: Backdoor.Apdoor.c *

So I fix it up manually and delete the two files in safe mode (one was a .dll)
Now I am thinking..How the heck did I get this and I remember the script errors on that thread. I go back to that thread and BAMM. It's in msconfig again.

I remove this new one (new random name) Fix it up. Read about a critical patch at MS, go and get it. Install the patch, ALL clean.

Ok I say. Lets try that thread again. (Metallica hadn't taken it down yet.) BAMM infected again.. Arrrrrrrrrrrr.

Beware.

(I know what you are going to say, Rob Wink

Cheers

Post #2911

relder

Posted 9/10/2003 6:06 PM

Forum Moderator

Group: Moderators
Last Login: 8/13/2007 11:17 AM
Posts: 3,966, Visits: 1,057

All I can say is that you need to be doing the right things.

__________________________________________________

Post #40025

Bulldog

Posted 9/10/2003 6:06 PM

Senior Forum Advisor

Group: Senior Advisor
Last Login: 12/4/2005 12:31 AM
Posts: 4,743, Visits: 5

http://www.antivirus-download.com/virusinfo/apdoor.htm

Cheers

Post #40026

relder

Posted 9/10/2003 6:06 PM

Forum Moderator

Group: Moderators
Last Login: 8/13/2007 11:17 AM
Posts: 3,966, Visits: 1,057

Looks like a variation. Norton released definitions for the original version on 6/16/03.

__________________________________________________

Post #40027

Bulldog

Posted 9/10/2003 6:06 PM

Senior Forum Advisor

Group: Senior Advisor
Last Login: 12/4/2005 12:31 AM
Posts: 4,743, Visits: 5

<edit> Took pic down , Nasty address <edit>

Metallica found this.
[QUOTE=Metallica]Hi Bob,
I had to disable HTAstop and AdWatch to get this far:
http://home01.wxs.nl/~kleyn080/htaexploit.jpg
Then I stopped and went back into my shell.

The long story: after moving that thread I started every security app I own, dusted of IE and went in. First one to alarm me was AdWatch, alarming me to a webdownload.
I looked in Port Explorer what conncetions were made and found that site that was also in your script error.
So I went directly to that site, shut down Adwatch and got that warning from NAV. I noticed the filename .hta en toggled HTAstop to off. Then got the Sygate warning. That´s the screenshot I uploaded.

So what they do is to try and trick IE into running a .hta file locally.
I imagine that it´s sole purpose is to get that Backdoor.Coreflood on your computer. Just guessing that the .dr extension stands for downloader.

Regards,
Pieter
[/QUOTE]

Thank you Pieter.

Cheers

Post #40028

« Prev Topic | Next Topic »

Reading This Topic

All times are GMT -6:00, Time now is 11:02pm