AVAST Missed This Virus ! Backdoor.Win32.Naninf

Okay so it was stupid of me to even think about running an SCR file - my excuse is that the icon was Adobe Reader - anyway…

Avast 4.6 Home just let through a virus and even let me execute it without detecting it.

I think the virus was a Backdoor.Win32.Naninf.c
info here: http://www.viruslist.com/en/weblog?weblogid=162294532

So as I’ve now run this thing -
Firstly how can I identify exactly what virus I now have (I can to my site if needed).
Secondly how the hell do I go about removing it.

OS: WindowsXP x64 edition
Setup: 2GB Ram / Athlon64 3500+ / blah blah blah.

Thanks in advance for any help you can give.

Hello :slight_smile:

First you can make a online scan ( for example http://www.kaspersky.com/virusscanner) and to see which files are infected.
Second if the scanner find a virus that is not detected by avast! you can send that file to Alwil and they will add it to the VPS :wink:
If you have such files send them to virus[at]avast[dot]com in password protected archive( usually the password is “virus”) and in the mail body write some info :wink:
And if you want you can make a scan with A2 - http://www.emsisoft.com/en/ - it’s a very useful program for removing malwares :wink:

thanks:

http://www.kaspersky.com/virusscanner returned :

Scanned file: so.scr
so.scr - infected by Backdoor.Win32.Breplibot.h

I’ll run some more searches on this.

I recommend you to run a full system scan with this online scanner just in case :wink:

You can send this file to Alwil as described below :wink:

Virus emailed to avast.

Running A-squared at the moment.

great - this is…errr … helpful:

http://www.richcoopa.co.uk/virus.gif

good call:


KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 17, 2005 13:37:16
Operating System: Microsoft Windows Server 2003 family, Professional, Service Pack 1 (Build 3790)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/11/2005
Kaspersky Anti-Virus database records: 150546

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Rich\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 8467
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 228 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\ssrms.exe Infected: Backdoor.Win32.Breplibot.h
C:\WINDOWS\SysWOW64\ssrms.exe Infected: Backdoor.Win32.Breplibot.h

Scan process completed.

These are variants of malware which use the backdoors of the Sony rootkit.
Like breplibot c and h. See here:
http://www.f-secure.com/weblog/archives/archive-112005.html#00000702

So remove the Sony rootkit with the removal tool from Symantec’s and then clean your breplibot.h infection, else you stay vulnerable:
http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html
That’s it,

polonus

I found another virus (or maybe a malware) called amsn. Is an executable placed in the windows\system32 directory.
I had to remeve it manually with the DOS prompt.
The virus went unnoticed by avast home scanner 4.6 and was revealed by startup patrol because it refused to cancel.
Ever heard of it? I think it is a trojan.

Ooh Boy, oh boy, this is exciting…a malware from Sony rootkit already,

Mr. richkoopa, with that possibility of a backdoor, are you feeling weird already about your computer, you know those so called blackhat hackers won’t turn away from this chance, have you prepared for such attacks…?

God Bless Us All ;D :smiley: :slight_smile:

Hallo dzikrul_maut,

The comment of the Sony boss was not to worry, because the avarage computer user does not know about rootkits anyway.
Downplaying some risk is an art,

polonus