Can anyone please help me find a Trojan, that I am being told by "Norton
Personal Firewall 2001" I have. I'm running Win ME. I have all the latest
updates etc but "Norton Antivirus" can't find it. The Firewall is blocking
ok but I want rid of it. I have pasted the content of the "Event Log" but I
just noticed this in "Connections" and am worried it may be sending personal
details. :-
Date: 09/07/2003 Time: 12:12:23
Connection: localhost: Backdoor-g-1 to localhost: 1024, 0 bytes sent,
655 bytes received, 0.625 elapsed time
and
Date: 09/07/2003 Time: 12:12:23
Connection: localhost: 1024 from localhost: Backdoor-g-1, 655 bytes
sent, 0 bytes received, 0.540 elapsed time

This is from "Firewall":-
Date: 09/07/2003 Time: 12:08:28
Rule "Default Block Backdoor/SubSeven Trojan" blocked (My Name,27374).
Details:
Inbound TCP connection
Local address,service is (My Name,27374)
Remote address,service is (00.000.000.000,00000)
Process name is "N/A"

I've tried loads of different site's and followed all the instructions for
deleting Sub7's but there is no sign of it other than the warning from the
Firewall. I also saw the link for http://www.simplysup.com Trojan Remover
but it didn't find anything either. Can anyone please help ?

Thanks in advance
Nav

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on Wed, 9 Jul 2003 12:35:07 +0100, "Naveed"
<(E-Mail Removed)> amazingly managed to produce the
following with their Etch-A-Sketch:

> Can anyone please help me find a Trojan, that I am being told by
> "Norton Personal Firewall 2001" I have. I'm running Win ME. I have
> all the latest updates etc but "Norton Antivirus" can't find it.
> The Firewall is blocking ok but I want rid of it. I have pasted the
> content of the "Event Log" but I just noticed this in "Connections"
> and am worried it may be sending personal details. :-
> Date: 09/07/2003 Time: 12:12:23
> Connection: localhost: Backdoor-g-1 to localhost: 1024, 0 bytes
> sent, 655 bytes received, 0.625 elapsed time



Sub7 is old enough to vote


http://vil.nail.com/


Search for Sub7 and follow instructions.... it's NOT hard... just
requires a brain... oh wait................



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPwwFT2fqtj251CDhEQL+FgCgj2vG93DgsEfCPI66GJh/Kb/Ly1oAoNJy
39k1qap/o+gHAdo9bnVisZCd
=fkc3
-----END PGP SIGNATURE-----

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.

Naveed wrote:
> Can anyone please help me find a Trojan, that I am being told by "Norton
> Personal Firewall 2001" I have. I'm running Win ME. I have all the latest
> updates etc but "Norton Antivirus" can't find it. The Firewall is blocking
> ok but I want rid of it. I have pasted the content of the "Event Log" but I
> just noticed this in "Connections" and am worried it may be sending personal
> details. :-

you are confused... you probably don't have the trojan...just because
people on the outside are trying to talk to a trojan on your system,
doesn't mean there's actually a trojan on your system trying to respond...

it's a little like going around knocking on doors to see if anybody's
home...

--
"when surveys of all the world's countries are done,
canada frequently rates number one.
are we the best country? well we'll never know...
there's nowhere else we can afford to go."

On Wed, 09 Jul 2003 12:06:41 GMT, "Ian.H [dS]" <(E-Mail Removed)>
wrote:

>Sub7 is old enough to vote

....and with the US planning to go to computerized ballot boxes in the
wake of the Florida fiasco, it probably will <g>

Bart

Bitstring <vVTOa.7682$(E-Mail Removed)>, from the
wonderful person kurt wismer <(E-Mail Removed)> said
>Naveed wrote:
>> Can anyone please help me find a Trojan, that I am being told by "Norton
>> Personal Firewall 2001" I have. I'm running Win ME. I have all the latest
>> updates etc but "Norton Antivirus" can't find it. The Firewall is blocking
>> ok but I want rid of it. I have pasted the content of the "Event Log" but I
>> just noticed this in "Connections" and am worried it may be sending personal
>> details. :-
>
>you are confused... you probably don't have the trojan...just because
>people on the outside are trying to talk to a trojan on your system,
>doesn't mean there's actually a trojan on your system trying to
>respond...
>
>it's a little like going around knocking on doors to see if anybody's
>home...

It's actually even worse than that - several virus scanners/firewalls
report 'sub seven activity - blocked' based on just the port being used,
and my WinXP network occasionally uses these ports itself .. doesn't
seem to cause a problem if they are blocked (I assume XP just goes to
some other ports instead) but it does raise a 'firewall alert' (in my
case, PcCillin2002). Only happens every few days, so whatever it is that
WinXP is doing (no-one at MS has bothered to comment) it is clearly a
background/housekeeping activity.

--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.

Thanks Kurt, that was all I needed to know. It's the 1st Xplantion I've had.
The help file u get with Norton is crap. My Port is getting hit every 2-3
hours !!. Is there any way to discourage this or do I have to grin and bare
it ? It's a new thing for me as I just moved to BBand which is on 24/7.
Thanks
Nav

Have you used the security trace feature of Norton Personal Firewall to
trace the remote IP address back to the source?

This trojan horse may be old but that doesn't mean that it isn't still in
circulation and doing damage.


"Naveed" <(E-Mail Removed)> wrote in message
news:L4TOa.12422$(E-Mail Removed)...
> Can anyone please help me find a Trojan, that I am being told by "Norton
> Personal Firewall 2001" I have. I'm running Win ME. I have all the latest
> updates etc but "Norton Antivirus" can't find it. The Firewall is blocking
> ok but I want rid of it. I have pasted the content of the "Event Log" but
I
> just noticed this in "Connections" and am worried it may be sending
personal
> details. :-
> Date: 09/07/2003 Time: 12:12:23
> Connection: localhost: Backdoor-g-1 to localhost: 1024, 0 bytes sent,
> 655 bytes received, 0.625 elapsed time
> and
> Date: 09/07/2003 Time: 12:12:23
> Connection: localhost: 1024 from localhost: Backdoor-g-1, 655 bytes
> sent, 0 bytes received, 0.540 elapsed time
>
> This is from "Firewall":-
> Date: 09/07/2003 Time: 12:08:28
> Rule "Default Block Backdoor/SubSeven Trojan" blocked (My Name,27374).
> Details:
> Inbound TCP connection
> Local address,service is (My Name,27374)
> Remote address,service is (00.000.000.000,00000)
> Process name is "N/A"
>
> I've tried loads of different site's and followed all the instructions for
> deleting Sub7's but there is no sign of it other than the warning from the
> Firewall. I also saw the link for http://www.simplysup.com Trojan Remover
> but it didn't find anything either. Can anyone please help ?
>
> Thanks in advance
> Nav
>
>
>

Results of studying the virus attacks for 6 months 2003 have shown:
the activity of virus-makers became more boisterous, their educational
level has increased, their creations become more and more refined.
Summing up, it is possible to say, that distributed Internet viruses
are capable to penetrate into all elements of corporate information
infrastructure, attacking both the software, and the equipment.
According to Ukrainian Anti-virus Center the quantity of reports on
virus attacks has grown in 15% for the first six months 2003. The most
dangerous viruses were I-Worm.Tanatos.b, I-Worm.Lentin, I-Worm.Sobig,
I-Worm. Klez.
http://www.crime-research.org/eng/ne.../Mess1605.html

I have been encountering the same problem w/ my Norton FW 2003 on my
Personal machine. As far as I can tell from running searches for the
subseven trojan the source machines are just simply just fishing for
computers that might be infected and are listening to those ports. If
your firewall says it blocks it when the computer was not running any
programs then most likely it was someone just knocking on that port.
If the firewall alarms go off everytime you run a program then it is
possible that you are infected with the trojan.

It seems that probing for this port has become more common in the last
few months. If you have any questions about this I found a couple of
good sites:

http://isc.incidents.org/
and
http://www.cert.org/

Just type what you are looking for in the search engines on those
sites.

Tavis



"Hank Gans" <(E-Mail Removed)> wrote in message news:<%pwQa.1117$(E-Mail Removed)>...
> Have you used the security trace feature of Norton Personal Firewall to
> trace the remote IP address back to the source?
>
> This trojan horse may be old but that doesn't mean that it isn't still in
> circulation and doing damage.
>
>
> "Naveed" <(E-Mail Removed)> wrote in message
> news:L4TOa.12422$(E-Mail Removed)...
> > Can anyone please help me find a Trojan, that I am being told by "Norton
> > Personal Firewall 2001" I have. I'm running Win ME. I have all the latest
> > updates etc but "Norton Antivirus" can't find it. The Firewall is blocking
> > ok but I want rid of it. I have pasted the content of the "Event Log" but
> I
> > just noticed this in "Connections" and am worried it may be sending
> personal
> > details. :-
> > Date: 09/07/2003 Time: 12:12:23
> > Connection: localhost: Backdoor-g-1 to localhost: 1024, 0 bytes sent,
> > 655 bytes received, 0.625 elapsed time
> > and
> > Date: 09/07/2003 Time: 12:12:23
> > Connection: localhost: 1024 from localhost: Backdoor-g-1, 655 bytes
> > sent, 0 bytes received, 0.540 elapsed time
> >
> > This is from "Firewall":-
> > Date: 09/07/2003 Time: 12:08:28
> > Rule "Default Block Backdoor/SubSeven Trojan" blocked (My Name,27374).
> > Details:
> > Inbound TCP connection
> > Local address,service is (My Name,27374)
> > Remote address,service is (00.000.000.000,00000)
> > Process name is "N/A"
> >
> > I've tried loads of different site's and followed all the instructions for
> > deleting Sub7's but there is no sign of it other than the warning from the
> > Firewall. I also saw the link for http://www.simplysup.com Trojan Remover
> > but it didn't find anything either. Can anyone please help ?
> >
> > Thanks in advance
> > Nav
> >
> >
> >

In Message-ID:<(E-Mail Removed)> posted
on 25 Jul 2003 08:00:02 -0700, Tavis H. wrote:

>If
>your firewall says it blocks it when the computer was not running any
>programs then most likely it was someone just knocking on that port.

Is the firewall blocking an incoming attempt or outgoing attempt?

>If the firewall alarms go off everytime you run a program then it is
>possible that you are infected with the trojan.

Yep

Bart