Apdoor Backdoor (Remote Access Trojan)

[Ben Dover]

Hi everyone,

Ms Antispyware reports that it found the apdoor backdoor trojan in the
"Documents & Settings" folder. It is located in the "local
settings\temp\sres.dll" file. I am wondering if this is a false signature?
My Norton Antivirus scanner cannot detect it. It comes back every other day
or so even if i remove it with the Ms Antispyware.

Anyone who has an idea?

Thanks,
B.D.

 

[Bill Sanderson]

This may be a false positive, even if it is a file identical to the one used
by Apdoor Backdoor.

What other software are you running at the time this occurs?

This is ringing a bell somewhere for me, but I haven't placed what I recall
yet. Will do a search of these groups.

 

[Bill Sanderson]

Ok - there's a thread started 8/23 in .general relating to this.

Did you ever have the game "Aliens vs Predators 2" installed?

 

[Ben Dover]

Hi,

Wow you are fast, yes i have avp2 installed...
I'll check out the general group...
Thanks
BD

 

[Ben Dover]

Hmm i cannot download old messages...why?
/BD

Hi,

Wow you are fast, yes i have avp2 installed...
I'll check out the general group...
Thanks
BD

 

[Frank Saunders, MS-MVP OE]

Hmm i cannot download old messages...why?
/BD

OE:
First, go to Tools | Options | Read and uncheck "Download 300 messaegs at a
time".
Then right click the newsgroup and select Properties | Local File.
Click Reset.

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

 

[Bill Sanderson]

If you are on the web interface, I think they fall off the edge earlier.
NNTP has these groups back to day 1.

In the end, googling on the name of the dll file, I found references to this
file being related to a crack or add-on of some sort to the game.

What I couldn't be certain about--and the thread ended with this not
determined--was whether this crack or add-on was, in fact, a trojan.

The OP in the other thread no longer wanted the game, so he just removed it,
and the issue went away.

I think it is likely that this is a false positive, but the way to be more
certain about that would be to find some better references for Apdoor
Backdoor that define what files should be involved in that threat, and
search for them on your system. if sres.dll is all there is, I'd be
reassured. I don't think I did that research in the other thread--I'll go
look.

I've attached the thread to this message as a zip. The zip is not
passworded and should contain only .NWS files which should open in outlook
express or the newsreader of your choice.

--

 

[Frank Saunders, MS-MVP OE]

If you are on the web interface, I think they fall off the edge
earlier. NNTP has these groups back to day 1.

He's using OE according to his headers. SP2 plus the optional update.

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

 

[Bill Sanderson]

Ahh--thanks--didn't even check. (should probably have known--how many
threads with HTML respondents actually continue <g>)

--

 

[Ben Dover]

Hi guys and thanks,

I've read the messages and think that this is a false positive (old). I have
noticed it on another machine as well, but only after we played avp2
networked. About the discussion whether it's a mod that is innocent or not,
maybe, i do have a mod with maps that could be the cause of it.. And yes
(thank G) I am fully patched...and that makes me feel "pretty" safe...
However this will make me even more paranoid and strengthen my efforts to
keep my system clear. God i hate those spyware and trojans...makes one spend
countless of hours pursuing ghosts...

And i also learned a new skill...how to reset the local file and retreive
all messages...not bad..not bad at all...

Just out of curiousity, what newsreader do you guys use? (jupp - i use OE
for newsgroups only..)

My best regards and whishes to you guys for sending my mind to a rest...

/BD

 

[Bill Sanderson]

Terrific--glad we could help.

My original newsreader of choice was Forte Agent

http://www.forteinc.com/main/homepage.php

However, in the XP beta, I think, or perhaps the one before that, I
convinced myself that I should dogfood OE as a newsreader just to assure
myself that it worked--and I have done that ever since. It will still
evidence obnoxious behavior (if a group disappears from the server, it will
also suddenly disappear from the local store.)--but it works well enough
that I haven't gone back to Agent.


--