Apdoor BackDoor - false positive?

[Guest]

Hi,

I run weekly scans with all my programs (Ad-Aware, SpyBot
S&D, Microsoft Anti-Spyware, AOL SP and McAfee Virus Scan)
and over the past couple of days Microsoft is the only one
to pick up "Apdoor BackDoor (Remote Access Trojan)"
located at 'C:/Documents and Settings/Rich/Local
Settings/Temp/sres.dll'

It seems to come back, although not at time when I just
connect to the internet or am even using (it came back
yesterday at just before 16:00 and I was pretty sure I
wasn't even using my PC then for example).

I checked the Symantec website for more info and came
across this page -
http://securityresponse.symantec.com/avcen...oor.apdoor.htm
l - I'm guessing that 'backdoor.apdoor' is the same file?
Anyways, reading the info on it, it says about there being
an .exe and .dll file of the same name under '%SYSTEM%' so
I checked 'C:\WINDOWS\SYSTEM' and I can't see anything.

Just wondering therefore if this is a false positive or am
I missing something?

Many thanks

 

[Alan]

The folder name suggests that it's Internet related.

The reason you are not seeing the file is that the folder
that the file is apparantly located is hidden. Open My
Computer, select Tools > Folder Options..., click the
View tab, check the box to show hidden files and folders,
and click OK.

Now go to c:\documents and settings\rich\local
settings\temp and see if sres.dll is there. If it is,
then MSAS is correct.

Also, make certain that you are not logging in under a
limited user account, as the app currently only supports
the administrator account that installed the app. If so,
then just ignore the warning. The lack of support for
multiple user accounts should change when Beta 2 is
released, likely before the end of the year.

If neither of these apply, submit a report to MS. Go to
Tools > Submit Suspected Spyware report.

Alan

 

[Phil]

I got the exact same detection, which was rather
disconcerting considering I too, with a healthy dose of
paranoia, run Spybot, AdAware and Norton constantly and
none of them found this sres.dll file before. I checked
the supposed changes to the registry that the trojan
makes according to Symantec and found nothing out of the
ordinary, nor did I find anything else...I'm hoping, to
ease my anxiety at the least, that it is a false
positive. Btw, this is all with the administrator
account. However, I haven't noticed the file re-
appearing in scans since I deleted it with Microsoft, so
far so good...

Phil

 

[plun]

Hi Phil

A "good practise" to avoid problems is to remove this
"junkyard" within all temporarily folders. Track eraser
within MSAS is "out of order".

CCleaner can be used. www.ccleaner.com

Also to set TIF to maybe 40 MB (Temporarily Internet files), IE tools

 

[Bill Sanderson]

I think finding executable code within the TIF is likely not a Good Thing.

If you are looking by hand for the file in the TIF, this isn't easy to do.
I usually do it at the command prompt. I also find that searches of a
partition are more reliable done at the command prompt if you know clearly
what you are looking for.

It might be good to double check on the executable--go to a command prompt
at the root of your system drive and do attrib \sres.* /s |more and see what
comes back, if anything.

One possible explanation for the presence of the .dll file in your TIF is
that this was an attempt to load the trojan onto your system but that it
failed, perhaps because you are properly patched against whatever exploit
was used. It isn't unusual at all to find java exploit virus code in the
TIF. I'm a bit worried that you found this .dll file, though. It might be
good to figure out what date and time this happened and consider what you
were doing at that time.




--

 

[Guest]

Bill,
Thanks for the reply, but I don't think I know how to do
any of the things you suggested...I'm still a novice.
I'm not sure when it might have occurred, but the trojan
appears to be an old one, circa 2003, and I am patched
and firewalled and antivirused with latest defs on
everything. I suppose it might have gotten blocked (in
part) by Norton, but what disturbs me is that Microsoft
Anti-spyware would locate this sres.dll file and Norton
would not. Furthermore, all the literature regarding
this trojan shows registry changes that, on examination,
do not appear on my machine. Nor do I find the
accompanying .exe or other evidence of infection...
Lastly, the file wasn't located in Temporary internet
files (which I regularly clear out) but in the same
location as the first poster...C:\Documents and
Settings\Owner\Local Settings\Temp\sres.dll
Incidentally, I had Microsoft delete the file as soon as
it was detected, so perhaps this is all moot. Thanks for
the help though!

 

[Bill Sanderson]

Bill,
Thanks for the reply, but I don't think I know how to do
any of the things you suggested...I'm still a novice.
I'm not sure when it might have occurred, but the trojan
appears to be an old one, circa 2003, and I am patched
and firewalled and antivirused with latest defs on
everything. I suppose it might have gotten blocked (in
part) by Norton, but what disturbs me is that Microsoft
Anti-spyware would locate this sres.dll file and Norton
would not. Furthermore, all the literature regarding
this trojan shows registry changes that, on examination,
do not appear on my machine. Nor do I find the
accompanying .exe or other evidence of infection...
Lastly, the file wasn't located in Temporary internet
files (which I regularly clear out) but in the same
location as the first poster...C:\Documents and
Settings\Owner\Local Settings\Temp\sres.dll
Incidentally, I had Microsoft delete the file as soon as
it was detected, so perhaps this is all moot. Thanks for
the help though!

My mistake about the location--sorry about that. Firewalls won't prevent
trojans, which are largely invited in. Antivirus may, if it is updated and
the trojan is recognized.

I can't find anything about this dll file that points to a clearly
legitimate source or use, but I haven't dug very deeply.

I think it is reasonable on your evidence to say that you don't have this
trojan in place, and probably never did--but I also don't see any clear
"good" source or purpose for sres.dll, so that remains a mystery.

One reason why false positives are more of an issue with antispyware than
with antivirus is the lack of a common definition --even in the broadest
terms--of what constitutes spyware--and also lack of information sharing
within the industry, about what constitutes a particular threat. We've also
seen some examples in these forums of detections based on a single name or
file, that have bordered on the rediculous--beta's are partly about helping
to find such things.

 

[Guest]

I don't know about Phil, but since posting up on here
I've been checking my PC everyday whilst on the internet
at intervals and it hasn't reoccured so I guess (touch
wood) that it's all good.

Also checking out CCleaner at the moment. Cheers ^^

-----Original Message-----
Hi Phil

A "good practise" to avoid problems is to remove this
"junkyard" within all temporarily folders. Track eraser
within MSAS is "out of order".

CCleaner can be used. www.ccleaner.com

Also to set TIF to maybe 40 MB (Temporarily Internet files), IE tools

--
plun


Phil brought next idea :

http://securityresponse.symantec.com/avcen...oor.apdoor.
h tm

 

[Guest]

I'm also knocking on wood whilst saying this, I've had
nothing but clean scans from MSAS since removing the file
several days ago. I did a google search for "sres.dll"
and several of the entries that showed up appeared to be
related to Aliens vs Predator 2, a game that I had had
installed on my machine some time ago...could
the "sres.dll" have been a remnant from that game that
escaped the unistall I wonder?
Phil

PS-Thanks to Bill and Plun for the advice and help. It
is most appreciated.

 

[Bill Sanderson]

That's a possibility. One reason why I didn't mention that one clearly is
that it is not clear to me at this distance and via those google hits,
whether the sres.dll involved--which was part of a mod or hack to the game,
not the game itself, I believe--was, in fact an innocent mod, or was a
trojan.

The latter isn't impossible, so I punted by saying that I couldn't find any
info that positively vetted this file as good.

--