backdoor.bot

[Evedia]

Scan came up with this tonight. A few searches point to tdss but I see no other symptoms of that so far.

Malwarebytes' Anti-Malware 1.36

Database version: 2173

Windows 5.1.2600 Service Pack 3

5/23/2009 11:42:32 PM

mbam-log-2009-05-23 (23-42-29).txt

Scan type: Quick Scan

Objects scanned: 81498

Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [3857535134304144385864454836344564463436414247386152483953563451386146746883808

48071856156747969808884014753613686838370798555708384748079615370837874796677015

2

70838770836142798485667777615248395356345138614674688380848071856156747969808884

6

1368683837079855570838474807961518679]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[exile360]

I just had the same detection (same database version as well) on XP Home SP3. I did a thorough check for rootkits, none present so I do believe this is a false positive. I'm sure it'll be fixed as soon as one of the developers sees this post .

[Amethyst]

I've got 2 XP SP (one Media Center Edition and the other one XP Pro) machines showing the same scan result. I'll paste the results here next post.

[mona7865]

Same here:

Malwarebytes' Anti-Malware 1.37 (final beta 2)

Database version: 2173

Windows 5.1.2600 Service Pack 3

24/05/2009 8:17:37

mbam-log-2009-05-24 (08-17-29).txt

Scan type: Quick Scan

Objects scanned: 94691

Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [3857535134304144385864454836344564463436414247386152483953563451386146746883808

48071856156747969808884014753613686838370798555708384748079615370837874796677015

2

70838770836142798485667777615248395356345138614674688380848071856156747969808884

6

1368683837079855570838474807961518679]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Amethyst]

OK, here's the developer's log from the XP Pro laptop:

Malwarebytes' Anti-Malware 1.36

Database version: 2173

Windows 5.1.2600 Service Pack 2

5/24/2009 12:27:19 AM

mbam-log-2009-05-24 (00-26-49).txt

Scan type: Quick Scan

Objects scanned: 95019

Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [3857535134304144385864454836344564463436414247386152483953563451386146746883808

48071856156747969808884014753613686838370798555708384748079615370837874796677015

2

70838770836142798485667777615248395356345138614674688380848071856156747969808884

6

1368683837079855570838474807961518679]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[TeMerc]

Fixed

[ceomag]

My scan with Malwarebytes' Anti-Malware 1.36 also picked up Backdoor.bot. I really hope this is a false positive. I've quarantined it and I'll wait for some response. In the meantime, here's my log:

Malwarebytes' Anti-Malware 1.36Database version: 2173Windows 5.1.2600 Service Pack 3
5/24/2009 3:37:44 AMmbam-log-2009-05-24 (03-37-44).txt
Scan type: Quick ScanObjects scanned: 93113Time elapsed: 7 minute(s), 29 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

I've been running scans every two or three days (last full scan was 3 days ago) and haven't picked up anything in months, although I did have a problem in December.

[kironvarma]

Hi,

I did an updated of Malware today and after a scan i received the following as part of log

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken.

Should i remove this or is it a FP?

[kironvarma]

Adding my log

[exile360]

Greetings . It's an FP and has been corrected (update again and do a quick scan).

[ceomag]

Okay, I restored the identified problem from quarantine, updated and rescanned with Malwarebytes' Anti-Malware 1.37 and it's not picking up a problem. Must have been a false positive -- thanks for the quick work.

But I am going to have to get out of the habit of scanning at 4:00 AM (US EDT). Now I need to unwind before I'll get to sleep!

[mona7865]

Extremely quick fixed with database version 2174 :

Malwarebytes' Anti-Malware 1.37

Database version: 2174

Windows 5.1.2600 Service Pack 3

24/05/2009 10:12:46

mbam-log-2009-05-24 (10-12-46).txt

Scan type: Quick Scan

Objects scanned: 94760

Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Thank you.

[kironvarma]

Thanks for the past response

[exile360]

Yeah, I believe Nosirrah, one of the developers, saw this thread and promptly corrected it . Those guys are really quick.

[IDamian]

sorry, being a newbie I have one minor question. I have Xp Sp2 and did find the backdoor issue on a FULL scan. Your instructions, which I am following, are to update, which I did, but then do a quick scan(after restoring from quarantine, which I did). My question is since I have to assume that a quick scan will be less extensive than a complete scan (otherwise why the name change for the scan) isn't it possible a quick scan might miss what a full scan picked up?

[exile360]

Greetings . This question actually comes up quite often. The truth is, the way the quick scan is designed it should be able to detect all the malware that MBAM possibly can thus making the full scan option largely unnecessary. The only cases I could think of where a full scan might be useful is if you had other hard drives that might have gotten infected by something. In this particular case, since the entry was in the registry either scan type would find it because part of the quick scan is to scan the keys where malware is known to show up in the registry, that's why most of the posters here (including myself) got this false positive doing only a quick scan .

[IDamian]

WOW, YOU GUYS ARE GREAT; Thank you so much for such a fast reply. I will now turn my full scan off (after getting no hits on the quick scan) and get some good sound sleep, finally. THANK YOU MUCHLY

[exile360]

You're very welcome, sleep well .

[Amethyst]

But I am going to have to get out of the habit of scanning at 4:00 AM (US EDT). Now I need to unwind before I'll get to sleep!

I know what you mean! I scan the desktop PC daily at the end of the day after everyone in the family has stopped using it for the day...and hence I was up a couple of hours later than I intended to be last night.

The first thing I do if Malwarebytes finds something now is take a deep breath and check this forum. I'm glad people were posting about this right away and I am amazed at how quickly Malwarebytes developers deal with the FP's, so a big thank you goes to them, too.

[Evedia]

Thanks for the ultra quick response

[Onikirimaru]

Okay...I may have a problem. I got this false positive and then promptly deleted it from quarantine. Yes, I now realize that was really stupid, but in my defense I was half asleep at the time. Is having deleted this going to cause any problems with my PC?

[Amethyst]

Okay...I may have a problem. I got this false positive and then promptly deleted it from quarantine. Yes, I now realize that was really stupid, but in my defense I was half asleep at the time. Is having deleted this going to cause any problems with my PC?

I'm not an expert, so I can't tell you if having this registry key missing will cause problems or not. However, you should be able to restore your registry to a point prior to this key being quarantined by running System Restore. There are instructions here:

http://support.microsoft.com/kb/322756

Near the end of the page is the part to "restore the registry" for both XP and Vista. I use XP, and rather than use the Start-Run thing, I would just go to Start-All Programs-Accessories-System Tools-System Restore (because to me that looks easier )

When it's done, you can check the registry and see if the key has been restored.

Hope that helps.

[Onikirimaru]

Well, I tried the system restore, but it didn't work. After the restart a message came up saying something like "The system restore failed. No changes were made." And the registry is still missing whatever it was I deleted. However, my computer doesn't seem to be malfunctioning in any way, so maybe it doesn't matter. Anyhoo, thanks for the advice Amethyst!

[miekiemoes]

Onikirimaru, please don't worry, this key will recreate automatically again if needed

[Onikirimaru]

Onikirimaru, please don't worry, this key will recreate automatically again if needed

I...did not know that. That is a relief. Thanks!