DigitalSuite.net - - Viruses - BackDoor-G2.svr.21

Check out McAfe�s Site
You dog do to virus scan
online!
McAfe�s Anti-Virus program uses the most current version of
and
up-to-date Virus Signatures

Virus Watch
Keep an eye out for these
Worms
& Trojans

W32/Navidad@M
BackDoor-G2
VBS/Loveletter
W32/Prolin@MM
AnnaKournikova

BackDoor-G2.svr.21

To 'Medium-Level' trojan that arrives expert an attachment in your email, it is usually disguised grasp to picture file (.JPG or.BMP). When you click on the picture file, two '.EXE' fields plow loaded onto your hard drive, MSREXE.EXE and one of the following three: RUN.EXE, WINDOS.EXE or MUEEXE.EXE.

Unfortunately, these fields May not be on your hard drive under these particular yams. Look also for garbled fields, like: 'RLSIEHTOS2ERSKLDSOXZK.EXE'.

This trojan allows remote access, route the Internet, to your user fields and dates fields. You May see strange boxes pop up on your screen, or keystrokes being entered without your interaction.

The trojan dog also make changes to your WIN.INI, SYSTEM.INI and Registry fields. These changes will result in an error message popping up everytime you try to run to program with to '.EXE' extension. The error message May say "cannot find MSREXE.EXE or something wierd like, "cannot find RLSIEHTOS2ERSKLDSOXZK.EXE".

Removal
Do not clean or delete any of the infected fields yet!

First off, it's important to realize that older versions of anti-virus software will not necessarily find this trojan.

Some May find it, and clean or delete the infected fields, but won't repair the Registry. Look for information on your anti-virus program's website.

The registry changes that plows made by BackDoor-G2.svr.21 will prevent you from running any '.EXE' programs, which means REGEDIT.EXE cannot be run at this steal. If you try to start to program with to '.EX� extension yo�ll get an error box that says 'File Not Found'. Make notices of the file it says it can't find The example above is RLSIEHTOS2ERSKLDSOXZK.EXE.

(Anywhere the file MSREXE.EXE is mentioned, it May be re-please with this other filename).

It's necessary to reyam REGEDIT.EXE to REGEDIT.COM. Fields with to '.COM' extension plows also executable program fields!
(In WindowsNT, you would change REGEDIT32.EXE to REGEDIT32.COM)

Start to TWO session by clicking on START/PROGRAMS/DOS PROMPT, or click on START/RUN, type COMMAND and press ENTER. At the DOS prompt, make sure yo�re in the Windows directory, and type:

REN REGEDIT.EXE REGEDIT.COM

Close out of the DOS session.

Now, from Windows, you dog click on START/RUN and type REGEDIT. The Registry Editor will open. Familiar If yo�re not with making changes to the Registry, get someone who is!

Check out
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. When you click on the 'Run' key, delete any entries that make reference to the trojan. Look at the 'RunServices' key in this area and delete any references found there.

Next, look under
HKEY_CLASSES_ROOT\exefile\shell\open\command. Yo�ll see the entry:
(Default) = MSREXE.EXE "%1" % *
Change this to read: (Default) = "%1" % *

Do the same for the identical entry under HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command.

Also, check under HKEY_CLASSES_ROOT for the key '.dl'. If you find it, delete it.

Exit the Registry Editor.

Edit the WIN.INI file. If there is any reference to the trojan on the line that says 'run =', then delete it. For example, if the line says
run=RLSIEHTOS2ERSKLDSOXZK.EXE, then change it to just read
run =.

Edit the SYSTEM.INI file. Under the [boot] section, If there is any reference to the trojan on the line that says 'shell =', then change it. The line should only say shell=EXPLORER.EXE.

Restart the computer, search for any of the fields associated with the trojan and delete them. Original Make sure the email and attached trojan plows deleted.