stde9.exe...?

[Guillaume Colboc]

hello
my stde9.exe file in folder win32 in windows 2k has been infected by a
trojan horse.
i can't repare it, can i delete it? what is this file (a remote installer,
apparently)?
thanks for your answers
guillaume

 

[null]

hello
my stde9.exe file in folder win32 in windows 2k has been infected by a
trojan horse.

Which Trojan? Which scanner?


Art
http://www.epix.net/~artnpeg

 

[David W. Hodgins]

my stde9.exe file in folder win32 in windows 2k has been infected by a
trojan horse.

See http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html
for info on one of the backdoors that uses this file.

Note, from near the end of that page...

| Additional information:
|
| Once this type of Trojan attacks a computer, it is difficult
| to determine what else the computer has been exposed to.
|
| In most cases, any changes--other than those that the Trojan
| made--will not have occurred. However, the Trojan's creator
| may have been able to use the Trojan to access the computer
| to make changes to it.
|
| Unless you can be absolutely sure that malicious activity has
| not been performed on the computer, we recommend completely
| re-installing the operating system.

Regards, Dave Hodgins

 

[David W. Hodgins]

See http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html
for info on one of the backdoors that uses this file.

Sorry, my mistake. I misread another page, indicating the two were
related. The above filename is not listed, as part of that trojan.

According to http://archives.neohapsis.com/archives/incidents/2003-03/0055.html
the file is a remote installer, so the note regarding reinstalling, should still
be applicable.

Regards, Dave Hodgins

 

[Guillaume Colboc]

According to http://archives.neohapsis.com/archives/incidents/2003-03/0055.html
the file is a remote installer, so the note regarding reinstalling, should still
be applicable.

thanks.
i sended the file to norton, but what is a remote installer?
isn't the file safe when it's quarantined?

 

[David W. Hodgins]

i sended the file to norton, but what is a remote installer?
isn't the file safe when it's quarantined?

It's a program transferred to your computer, that is then executed
in order to install the rest of the backdoor.

From http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BAT_ZCREW.A&VSect=T
it's spread via weak/missing administrator passwords.

Given that it's already been written to a directory, that shouldn't
be shared, I would be surprised if it hasn't been executed.

Regards, Dave Hodgins

 

[Frank Murphy]

PestPatrol
www.pestpatrol.com

Trojans, Rats, Spyware etc.

FRank

 

[Guillaume Colboc]

Given that it's already been written to a directory, that shouldn't
be shared, I would be surprised if it hasn't been executed.

thanks, i did put an administrator password after your message.