Glossary
of
Terms

Care&Maintenance
viruses
backup the registry
restore the registry

 

 


McAfee Clinic

Check out McAfee's Site
You can do a virus scan
online!
Use the most current version of McAfee's Anti-Virus program
and
up-to-date Virus Signatures

 

Virus Watch
Keep an eye out for these
Worms
& Trojans

W32/Navidad@M
BackDoor-G2
VBS/Loveletter
W32/Prolin@MM
AnnaKournikova

mpf_468x60.gif

BackDoor-G2.svr.21

A 'Medium-Level' trojan that arrives as an attachment in your email, it is usually disguised as a picture file (.JPG or .BMP). When you click on the picture file, two '.EXE' files are loaded onto your hard drive, MSREXE.EXE and one of the following three: RUN.EXE, WINDOS.EXE or MUEEXE.EXE.

Unfortunately, these files may not be on your hard drive under these particular names. Look also for garbled files, like: 'RLSIEHTOS2ERSKLDSOXZK.EXE'.

This trojan allows remote access, via the internet, to your user files and data files. You may see strange boxes pop up on your screen, or keystrokes being entered without your interaction.

The trojan can also make changes to your WIN.INI, SYSTEM.INI and Registry files. These changes will result in an error message popping up everytime you try to run a program with a '.EXE' extension. The error message may say "cannot find MSREXE.EXE or something wierd like, "cannot find RLSIEHTOS2ERSKLDSOXZK.EXE".

Removal
Do not clean or delete any of the infected files yet!

First off, it's important to realize that older versions of anti-virus software won't necessarily find this trojan.

Some may find it, and clean or delete the infected files, but won't repair the Registry. Look for information on your anti-virus program's website.

The registry changes that are made by BackDoor-G2.svr.21 will prevent you from running any '.EXE' programs, which means REGEDIT.EXE can't be run at this time. If you try to start a program with a '.EXE' extension you'll get an error box that says 'File Not Found'. Make note of the file it says it can't find The example above is RLSIEHTOS2ERSKLDSOXZK.EXE.
(Anywhere the file MSREXE.EXE is mentioned, it may be replaced with this other filename.)

It's necessary to rename REGEDIT.EXE to REGEDIT.COM. Files with a '.COM' extension are also executable program files!
(In WindowsNT, you would change REGEDIT32.EXE to REGEDIT32.COM)

Start a DOS session by clicking on START/PROGRAMS/DOS PROMPT, or click on START/RUN, type COMMAND and press ENTER. At the DOS prompt, make sure you're in the Windows directory, and type:

REN REGEDIT.EXE REGEDIT.COM

Close out of the DOS session.

Now, from Windows, you can click on START/RUN and type REGEDIT. The Registry Editor will open. If you're not familiar with making changes to the Registry, get someone who is!

Check out
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. When you click on the 'Run' key, delete any entries that make reference to the trojan. Look at the 'RunServices' key in this area and delete any references found there.

Next, look under
HKEY_CLASSES_ROOT\exefile\shell\open\command. You'll see the entry:
 (Default) = MSREXE.EXE "%1"%*
Change this to read:  (Default) = "%1"%*

Do the same for the identical entry under HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command.

Also, check under HKEY_CLASSES_ROOT for the key '.dl'. If you find it, delete it.

Exit the Registry Editor.

Edit the WIN.INI file. If there is any reference to the trojan on the line that says 'run=', then delete it. For example, if the line says
run=RLSIEHTOS2ERSKLDSOXZK.EXE, then change it to just read
run= . 

Edit the SYSTEM.INI file. Under the [boot] section, If there is any reference to the trojan on the line that says 'shell=', then change it. The line should only say shell=EXPLORER.EXE.

Restart the computer, search for any of the files associated with the trojan and delete them. Make sure the original email and attached trojan are deleted.