[thechat] Trojan

David Wagner dave at worlddomination.net
Fri Mar 29 16:13:01 CST 2002

Kevin Stevens wrote:

> Despite having Zone Alarm my computer caught a Backdoor Trojan last night.
> Nortons anti-virus picked it up but was unable to delete, quarantine or
> disinfect the files. To solve this I had to go into DOS and delete the
> files, and I feel extremely proud of myself  for fixing it :)
> I am still a bit worried that there is a malicious program hiding somewhere
> on my computer, something that could be used in a DoS attack. Any ideas on
> how I could go about checking for this? Also, any ideas on why Zone Alarm
> failed to stop the Trojan in the first place
As Olly said, ZoneAlarm (and all software firewalls) will usually only
detect a network connection attempt (inbound or outbound). Norton
AntiVirus, and other AV programs, detect various kinds of file
signatures and system activities, and pay no attention to the actual
network performance of the malware.

A large number of these firewall "trojan" detections are false alarms.
The detection is generally based upon the port number of the connection
attempt, and most Trojan writers haven't gone out & registered their
port numbers anywhere. :) This means that games like EverQuest can, on
occasion, be detected as making "Backdoor Trojan" (a generic term)
connection attempts.

The most common actual Trojan is "backdoor.subseven", which is sometimes
just detected as "backdoor.trojan". Excellent information on all viruses
can be found by performing a search for the virus name on Google, or
visiting the website of one of the major AV software manufacturers. You
can usually find instructions for manually removing any virus-like program.

Also, make sure that your AV software is up-to-date, then run a complete
scan with it. Most of the major AV programs will catch any "leftovers"
using this method.

Sounds to me like you're in good shape, though.

David Wagner
dave at worlddomination.net

