Backdoor/SubSeven Trojan

  • Thread starter Thread starter Naveed
  • Start date Start date
N

Naveed

Can anyone please help me find a Trojan, that I am being told by "Norton
Personal Firewall 2001" I have. I'm running Win ME. I have all the latest
updates etc but "Norton Antivirus" can't find it. The Firewall is blocking
ok but I want rid of it. I have pasted the content of the "Event Log" but I
just noticed this in "Connections" and am worried it may be sending personal
details. :-
Date: 09/07/2003 Time: 12:12:23
Connection: localhost: Backdoor-g-1 to localhost: 1024, 0 bytes sent,
655 bytes received, 0.625 elapsed time
and
Date: 09/07/2003 Time: 12:12:23
Connection: localhost: 1024 from localhost: Backdoor-g-1, 655 bytes
sent, 0 bytes received, 0.540 elapsed time

This is from "Firewall":-
Date: 09/07/2003 Time: 12:08:28
Rule "Default Block Backdoor/SubSeven Trojan" blocked (My Name,27374).
Details:
Inbound TCP connection
Local address,service is (My Name,27374)
Remote address,service is (00.000.000.000,00000)
Process name is "N/A"

I've tried loads of different site's and followed all the instructions for
deleting Sub7's but there is no sign of it other than the warning from the
Firewall. I also saw the link for http://www.simplysup.com Trojan Remover
but it didn't find anything either. Can anyone please help ?

Thanks in advance
Nav
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can anyone please help me find a Trojan, that I am being told by
"Norton Personal Firewall 2001" I have. I'm running Win ME. I have
all the latest updates etc but "Norton Antivirus" can't find it.
The Firewall is blocking ok but I want rid of it. I have pasted the
content of the "Event Log" but I just noticed this in "Connections"
and am worried it may be sending personal details. :-
Date: 09/07/2003 Time: 12:12:23
Connection: localhost: Backdoor-g-1 to localhost: 1024, 0 bytes
sent, 655 bytes received, 0.625 elapsed time
Click to expand...



Sub7 is old enough to vote ;)


http://vil.nail.com/


Search for Sub7 and follow instructions.... it's NOT hard... just
requires a brain... oh wait................



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPwwFT2fqtj251CDhEQL+FgCgj2vG93DgsEfCPI66GJh/Kb/Ly1oAoNJy
39k1qap/o+gHAdo9bnVisZCd
=fkc3
-----END PGP SIGNATURE-----
 
Naveed said:
Can anyone please help me find a Trojan, that I am being told by "Norton
Personal Firewall 2001" I have. I'm running Win ME. I have all the latest
updates etc but "Norton Antivirus" can't find it. The Firewall is blocking
ok but I want rid of it. I have pasted the content of the "Event Log" but I
just noticed this in "Connections" and am worried it may be sending personal
details. :-
Click to expand...

you are confused... you probably don't have the trojan...just because
people on the outside are trying to talk to a trojan on your system,
doesn't mean there's actually a trojan on your system trying to respond...

it's a little like going around knocking on doors to see if anybody's
home...
 
Sub7 is old enough to vote ;)
Click to expand...

....and with the US planning to go to computerized ballot boxes in the
wake of the Florida fiasco, it probably will <g>

Bart
 
from the said:
you are confused... you probably don't have the trojan...just because
people on the outside are trying to talk to a trojan on your system,
doesn't mean there's actually a trojan on your system trying to
respond...

it's a little like going around knocking on doors to see if anybody's
home...
Click to expand...

It's actually even worse than that - several virus scanners/firewalls
report 'sub seven activity - blocked' based on just the port being used,
and my WinXP network occasionally uses these ports itself .. doesn't
seem to cause a problem if they are blocked (I assume XP just goes to
some other ports instead) but it does raise a 'firewall alert' (in my
case, PcCillin2002). Only happens every few days, so whatever it is that
WinXP is doing (no-one at MS has bothered to comment) it is clearly a
background/housekeeping activity.
 
Thanks Kurt, that was all I needed to know. It's the 1st Xplantion I've had.
The help file u get with Norton is crap. My Port is getting hit every 2-3
hours !!. Is there any way to discourage this or do I have to grin and bare
it ? It's a new thing for me as I just moved to BBand which is on 24/7.
Thanks
Nav
 
Have you used the security trace feature of Norton Personal Firewall to
trace the remote IP address back to the source?

This trojan horse may be old but that doesn't mean that it isn't still in
circulation and doing damage.
 
Results of studying the virus attacks for 6 months 2003 have shown:
the activity of virus-makers became more boisterous, their educational
level has increased, their creations become more and more refined.
Summing up, it is possible to say, that distributed Internet viruses
are capable to penetrate into all elements of corporate information
infrastructure, attacking both the software, and the equipment.
According to Ukrainian Anti-virus Center the quantity of reports on
virus attacks has grown in 15% for the first six months 2003. The most
dangerous viruses were I-Worm.Tanatos.b, I-Worm.Lentin, I-Worm.Sobig,
I-Worm. Klez.
http://www.crime-research.org/eng/news/2003/07/Mess1605.html
 
I have been encountering the same problem w/ my Norton FW 2003 on my
Personal machine. As far as I can tell from running searches for the
subseven trojan the source machines are just simply just fishing for
computers that might be infected and are listening to those ports. If
your firewall says it blocks it when the computer was not running any
programs then most likely it was someone just knocking on that port.
If the firewall alarms go off everytime you run a program then it is
possible that you are infected with the trojan.

It seems that probing for this port has become more common in the last
few months. If you have any questions about this I found a couple of
good sites:

http://isc.incidents.org/
and
http://www.cert.org/

Just type what you are looking for in the search engines on those
sites.

Tavis
 
In Message-ID:<[email protected]> posted
If
your firewall says it blocks it when the computer was not running any
programs then most likely it was someone just knocking on that port.
Click to expand...

Is the firewall blocking an incoming attempt or outgoing attempt?
If the firewall alarms go off everytime you run a program then it is
possible that you are infected with the trojan.
Click to expand...

Yep

Bart
 
Back
Top