
Trojan Horse BackDoor.Small.28.A0
#1
Posted 31 March 2005 - 05:46 PM
regards
shame about jane
#2
Posted 31 March 2005 - 06:50 PM
This one comes close http://www.sophos.co...rojsmallao.html
Yes, it`s a good idea to flush your restore.
#3
Posted 31 March 2005 - 08:06 PM
I came to the forum looking for this same information. (Backdoor.Small.28.A0)
AVG just told me I have it, too. It said all the infected files were my Hijackthis files and 'autohealed' it. In other words it deleted them--all of them.
This morning (and every day previously) when AVG ran automatically it didn't find anything. Tonight I decided to update and run everything. AVG said there was a critical update. I downloaded, then ran, then it told me that the trojan was there.
Is it possible that the trojan has been there all along and nothing saw it/found it? In other words is it possible my Hijackthis files were infected all along or could this be a "false positive" so to speak?
Sorry if this is the wrong place to put this. It seems like the right one *S*
Btw, I'm using Firefox 1.0.2 which I installed 03.28.05 (three days ago.)
Edited by Pilgrim2, 31 March 2005 - 08:11 PM.
#4
Posted 31 March 2005 - 09:28 PM
#5
Posted 31 March 2005 - 09:35 PM
I tested one of the suspected files with this false positive tester: http://virusscan.jotti.org/ Very handy little site, I must say!
I got this message:
"MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX"
I sent this info to AVG. (Couldn't send the file because AVG wouldn't let me. lol!)
Got a response back from them so fast that at first I assumed it had to be an autoresponse. But it was a real person!
They said they had the info on this. They said they're working on the fix. Meanwhile they said "Please just download the latest version of Hijack This program from the Internet - there is no false alarm on the latest version."
So does anyone have a link to the very newest version of HJT? (And can you tell me what that is? What number?
shame about jane, I apologize again if this is not in the correct place. It seemed right before I found out the newest info...
lydarose, just missed your message. We must've been typing at the same time *s*
Edited by Pilgrim2, 31 March 2005 - 09:36 PM.
#6
Posted 31 March 2005 - 10:08 PM
Merijn has said that false positives arise because he uses a packer method that is also often used by malware.
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE
#7
Posted 31 March 2005 - 10:35 PM
>>Merijn has said that false positives arise because he uses a packer method that is also often used by malware.<< I haven't a clue what this means. lol! My friends call me The Poster Child for the Technologically Challenged. However, I'll go look it up. I've learned an awful lot from this forum. I really appreciate it. *s*
#8
Posted 01 April 2005 - 01:00 AM
Today, for the first time in 6 years, AVG alerted me that I was infected with a trojan, namely that BackDoor.Small.28.AO trojan. It was located in 2 old HJT.zip installer files that I've had for many months. Well, I was skeptical, and suspected it was a false positive. ( My arsenal of scanners had failed to detect it-only AVG).
When I saw others (at Dell's and Grisoft's forums) reporting the exact same detection all on the same day my index of suspicion was raised. When I raised this issue at Grisoft's forum, my suggestion that it might be a false positive was dismissed.
Anyways I have had the latest version of HJT since its release. Does anyone think that a trojan could hide itself in old versions of the HJT installer files?
#9
Posted 01 April 2005 - 09:03 AM
Had the same Trojan detected by AVG 7.0 with the latest definitions 266.9.0 of 31MAR2005. The file hijackthis.zip and its decompressed hijackthis.exe both get detected. The EXE file is the only file within the ZIP file, so, if it has run properly as hijackthis, it's definitely not the Trojan. The detected files are version 1.98 of hijackthis. The new version 1.99 does not get detected on my system.
I was unable to contact Grisoft as I only have AVG Free. Does anyone have their email contact address for future problems? No more need to notify them about this one.
-johng
#10
Posted 01 April 2005 - 10:44 AM
jgavinfl> I sent my question to virus@grisoft.cz. This is the email addy suggested at the AVG forum I was reading about false positives. A person got back to me almost right away.
You're right. There's no more need to notify them. They said they're working on the fix already. The discussion at the forum was that sometimes a false positive fix will come out in the very next update.
Edited to add:
gavinfl> 1.99 does not get detected on my system.< Interesting you should say that and I'm glad you did. It helps me learn more. It *did* detect it in my version of 1.99 on my system...
Edited by Pilgrim2, 01 April 2005 - 10:51 AM.
#11
Posted 02 April 2005 - 04:54 PM
well it seems from the response to my original posting that i am not the only one who had this Trojan(Backdoor.Small.28.A0 picked up by AVG 7.0!,and yes it was detected straight afterwards of a CRITICAL AVG update,at least that was good news- and AVG had healed/deleted it and it has not returned,well done AVG!.
As a mattter of interest ref PILGRIM2 POST i too had just upgraded Mozolla Firefox from 1.0.1 to 1.0.2? coincidence?,maybe we downloaded this Trojan from the download site?,who knows?,as far as i can tell the latest Hijack This is VERSION 1.99.1.
Re-Gasled reply in this posting,hi!,same as me i have as arsenal of scanners like A2 and EWIDO,AVPE, ect ect and this trojan was not detected by any of them?.
I was surprised AVPE did not pick up this Trojan(Backdoor.Small.28.A0 up either because it picks up most if any and i do not get many,thank god,but AVG did miss this one,i think it is a good idea to have an independant AV as an on demand ONLY,so you can do an independant scan,what one AV misses the other one usually picks up.
regards
shame about jane

#12
Posted 02 April 2005 - 05:47 PM
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE
#13
Posted 02 April 2005 - 06:54 PM
AVG did put out a priority update yesterday. I'm assuming the fix was in it. Judging by how busy the site was I'm guessing they made it a priority because so many people needed it. lol!
#14
Posted 04 April 2005 - 12:43 PM
Twas definitely a false positive, and the latest update fixed it. You can restore that deleted (old) HJT version to its original location from AVG's vault, and run an AVG scan on it- no longer detected.
A good lesson here: most reputable anti-malware apps can (and should) be
configured to back up anything deleted.
#15
Posted 04 April 2005 - 05:40 PM
I also found that great link for testing files to see if they are false positives or not.
And I got to talk to some really nice people here and learn some more new stuff. All in all I'd say this one turned out to be much less of a headache than most... *wipes brow* >phew<
>A good lesson here: most reputable anti-malware apps can (and should) be
configured to back up anything deleted.< *nods head* Yes, definately...
Edited by Pilgrim2, 04 April 2005 - 05:41 PM.