Jump to content


Photo

Trojan Horse BackDoor.Small.28.A0


  • Please log in to reply
14 replies to this topic

#1 shame about jane

shame about jane

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 31 March 2005 - 05:46 PM

Hello there, AVG 7.0 detected a Trojan Horse called Backdoor.Small.28.A0 on a scan,it was able to delete it,but i have looked on the web and there does not seem much info on this trojan?,appreciate any info anyone has on it,thanks,also is it a good idea to to turn off system restore temporarily-then on again just in case it is still in the a restore point?,i have XP SP2.

regards

shame about jane

#2 Webster

Webster

    Member

  • New Member
  • Pip
  • 3 posts

Posted 31 March 2005 - 06:50 PM

Hi,

This one comes close http://www.sophos.co...rojsmallao.html

Yes, it`s a good idea to flush your restore.

#3 Pilgrim2

Pilgrim2

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 31 March 2005 - 08:06 PM

Hi all,

I came to the forum looking for this same information. (Backdoor.Small.28.A0)

AVG just told me I have it, too. It said all the infected files were my Hijackthis files and 'autohealed' it. In other words it deleted them--all of them.

This morning (and every day previously) when AVG ran automatically it didn't find anything. Tonight I decided to update and run everything. AVG said there was a critical update. I downloaded, then ran, then it told me that the trojan was there.

Is it possible that the trojan has been there all along and nothing saw it/found it? In other words is it possible my Hijackthis files were infected all along or could this be a "false positive" so to speak?

Sorry if this is the wrong place to put this. It seems like the right one *S*

Btw, I'm using Firefox 1.0.2 which I installed 03.28.05 (three days ago.)

Edited by Pilgrim2, 31 March 2005 - 08:11 PM.


#4 lydarose

lydarose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 31 March 2005 - 09:28 PM

AVG found the same thing on my machine today--said hijackthis.exe was infected with the BackDoor.Small.28.AO trojan. I contacted them for more information because I was a little baffled, and they asked me to send them a copy for evaluation, which I just did a little while ago. Hopefully they'll get back to me about it...

#5 Pilgrim2

Pilgrim2

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 31 March 2005 - 09:35 PM

Ok, it seems my problem with Backdoor.Small.28.A0 was a false positive by AVG.

I tested one of the suspected files with this false positive tester: http://virusscan.jotti.org/ Very handy little site, I must say!

I got this message:

"MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

Packers detected: UPX"

I sent this info to AVG. (Couldn't send the file because AVG wouldn't let me. lol!)

Got a response back from them so fast that at first I assumed it had to be an autoresponse. But it was a real person!

They said they had the info on this. They said they're working on the fix. Meanwhile they said "Please just download the latest version of Hijack This program from the Internet - there is no false alarm on the latest version."

So does anyone have a link to the very newest version of HJT? (And can you tell me what that is? What number?

shame about jane, I apologize again if this is not in the correct place. It seemed right before I found out the newest info...


lydarose, just missed your message. We must've been typing at the same time *s*

Edited by Pilgrim2, 31 March 2005 - 09:36 PM.


#6 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 31 March 2005 - 10:08 PM

http://www.spywarein.../HijackThis.exe

Merijn has said that false positives arise because he uses a packer method that is also often used by malware.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#7 Pilgrim2

Pilgrim2

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 31 March 2005 - 10:35 PM

cnm> Thank you! Downloaded new version. Works like a charm. AVG takes no exception at all!

>>Merijn has said that false positives arise because he uses a packer method that is also often used by malware.<< I haven't a clue what this means. lol! My friends call me The Poster Child for the Technologically Challenged. However, I'll go look it up. I've learned an awful lot from this forum. I really appreciate it. *s*

#8 gaslad

gaslad

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 01 April 2005 - 01:00 AM

A very interesting thread!

Today, for the first time in 6 years, AVG alerted me that I was infected with a trojan, namely that BackDoor.Small.28.AO trojan. It was located in 2 old HJT.zip installer files that I've had for many months. Well, I was skeptical, and suspected it was a false positive. ( My arsenal of scanners had failed to detect it-only AVG).

When I saw others (at Dell's and Grisoft's forums) reporting the exact same detection all on the same day my index of suspicion was raised. When I raised this issue at Grisoft's forum, my suggestion that it might be a false positive was dismissed.

Anyways I have had the latest version of HJT since its release. Does anyone think that a trojan could hide itself in old versions of the HJT installer files?

#9 jgavinfl

jgavinfl

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 April 2005 - 09:03 AM

Hi folks,

Had the same Trojan detected by AVG 7.0 with the latest definitions 266.9.0 of 31MAR2005. The file hijackthis.zip and its decompressed hijackthis.exe both get detected. The EXE file is the only file within the ZIP file, so, if it has run properly as hijackthis, it's definitely not the Trojan. The detected files are version 1.98 of hijackthis. The new version 1.99 does not get detected on my system.

I was unable to contact Grisoft as I only have AVG Free. Does anyone have their email contact address for future problems? No more need to notify them about this one.

-johng

#10 Pilgrim2

Pilgrim2

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 01 April 2005 - 10:44 AM

gaslad>>Does anyone think that a trojan could hide itself in old versions of the HJT installer files?<< As I understand it (and please know, I'm definitely NO techy) your version of HJT does not have the trojan. It has a programming technique called 'packing' that AVG *sees* as a trojan, but it's not really. There is no trojan to hide itself in your old versions of HJT.

jgavinfl> I sent my question to virus@grisoft.cz. This is the email addy suggested at the AVG forum I was reading about false positives. A person got back to me almost right away.

You're right. There's no more need to notify them. They said they're working on the fix already. The discussion at the forum was that sometimes a false positive fix will come out in the very next update.

Edited to add:

gavinfl> 1.99 does not get detected on my system.< Interesting you should say that and I'm glad you did. It helps me learn more. It *did* detect it in my version of 1.99 on my system...

Edited by Pilgrim2, 01 April 2005 - 10:51 AM.


#11 shame about jane

shame about jane

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 02 April 2005 - 04:54 PM

Hi Guys,
well it seems from the response to my original posting that i am not the only one who had this Trojan(Backdoor.Small.28.A0 picked up by AVG 7.0!,and yes it was detected straight afterwards of a CRITICAL AVG update,at least that was good news- and AVG had healed/deleted it and it has not returned,well done AVG!.

As a mattter of interest ref PILGRIM2 POST i too had just upgraded Mozolla Firefox from 1.0.1 to 1.0.2? coincidence?,maybe we downloaded this Trojan from the download site?,who knows?,as far as i can tell the latest Hijack This is VERSION 1.99.1.

Re-Gasled reply in this posting,hi!,same as me i have as arsenal of scanners like A2 and EWIDO,AVPE, ect ect and this trojan was not detected by any of them?.

I was surprised AVPE did not pick up this Trojan(Backdoor.Small.28.A0 up either because it picks up most if any and i do not get many,thank god,but AVG did miss this one,i think it is a good idea to have an independant AV as an on demand ONLY,so you can do an independant scan,what one AV misses the other one usually picks up.

regards

shame about jane :wave:

#12 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 02 April 2005 - 05:47 PM

Antivirus programs don't generally have the highly specialized capabilities of trojan scanners. I suggest a free trial of TrojanHunter (there are no free anti-trojan programs that I know of). http://www.trojanhunter.com/
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#13 Pilgrim2

Pilgrim2

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 02 April 2005 - 06:54 PM

shame about jane>. No, it wasn't an actual trojan. It was a false alarm by AVG. They've since put out another update and fixed it. At least I assume it's fixed...It deleted my hijack this program than said contained a trojan, so I have nothing to try it out on now.

AVG did put out a priority update yesterday. I'm assuming the fix was in it. Judging by how busy the site was I'm guessing they made it a priority because so many people needed it. lol!

#14 gaslad

gaslad

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 04 April 2005 - 12:43 PM

Pilgrim2:

Twas definitely a false positive, and the latest update fixed it. You can restore that deleted (old) HJT version to its original location from AVG's vault, and run an AVG scan on it- no longer detected.

A good lesson here: most reputable anti-malware apps can (and should) be
configured to back up anything deleted.

#15 Pilgrim2

Pilgrim2

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 04 April 2005 - 05:40 PM

>>You can restore that deleted (old) HJT version to its original location from AVG's vault,<< Thanks. As it turned out I needed the very newest version anyway and cnm gave me the link to it. Downloaded that and dumped the two older versions, so now the house is all neat and tidy. *g*

I also found that great link for testing files to see if they are false positives or not.

And I got to talk to some really nice people here and learn some more new stuff. All in all I'd say this one turned out to be much less of a headache than most... *wipes brow* >phew<

>A good lesson here: most reputable anti-malware apps can (and should) be
configured to back up anything deleted.< *nods head* Yes, definately...

Edited by Pilgrim2, 04 April 2005 - 05:41 PM.





Member of UNITE
Support SpywareInfo Forum - click the button