Backdoor.bionet.405

  • Thread starter Thread starter Colin Bearfield
  • Start date Start date
C

Colin Bearfield

I have just tried out a trial version of Karparsky AV and it says I
might have a virus. It is suspicious about
C:\windows\system32\libupdate32.exe

Is it a virus and is anything known about it?

Colin
 
I have just tried out a trial version of Karparsky AV and it says I
might have a virus. It is suspicious about
C:\windows\system32\libupdate32.exe

Is it a virus and is anything known about it?
Click to expand...

It's not a virus, it's a Remote Access Trojan (RAT). I found no KAV
description of this particular variant. You can see the names some
other av products use by using project VGREP:

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=backdoor.bionet.405&product=0

I dunno if libupdate32.exe is a normal file on your OS or not. And
only you can tell us if you're seeing actual backdoor activity, and
whether or not you use a firewall and other general means of
detecting/blocking such Trojans.

If it turns out that it seems KAV is false alerting, send them a
zipped copy of the file for analysis.


Art
http://www.epix.net/~artnpeg
 
It's not a virus, it's a Remote Access Trojan (RAT). I found no KAV
description of this particular variant. You can see the names some
other av products use by using project VGREP:

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=backdoor.bionet.405&product=0

I dunno if libupdate32.exe is a normal file on your OS or not. And
only you can tell us if you're seeing actual backdoor activity, and
whether or not you use a firewall and other general means of
detecting/blocking such Trojans.

If it turns out that it seems KAV is false alerting, send them a
zipped copy of the file for analysis.


Art
http://www.epix.net/~artnpeg
Click to expand...

I have now spoken to KAV and they have confirmed that it is almost
certainly a case of someone entering by the back door and removing all
the contents of "My Documents". They were aware of this name.

Because very sensitive material was removed, it is now in the hands of
the police.

When the person logon on to the Internet she got a brief flash of a
message saying that "was dialing in from elsewhere" and then
everything froze. She booted up again and she couldn't get past safe
mode. KAV told me what to do to disinfect but i was asked to leave it
intact.

Colin
 
Back
Top