Need help with Backdoor.IRC.Cirebot - Annoying as all get out...

[Pyron]

Well, this is what happens when I don't act quick enough on the critical updates. Let me start off by saying that I realize there's probably not much anyone can do about this. I just thought I'd have to ask in case someone can.

The bottom line is this: I forgot a critical update, and last night someone tried to hit me with this trojan (Backdoor.IRC.Cirebot). Luckily, I was runing a fully updated version of NAV 2003 - So Norton saw the virus and deleted the file that it recognized it in (\Windows\system32\sysval32.exe). I was kinda freak out, so I did a system scan... And in the middle of the scan, Norton auto-protect popped up and told me it deleted the same file!

Needless to say, I was getting worried. I checked - The file was indeed deleted, and non-existant. So I read up on the details of the virus, and I found a bit more. That's when I noticed a TON of open connections to my box. So I disconnected from the internet, and ran a full scan. Norton told me my system was virus free.

If I ever re-connect to the internet in any form, those connections fly open again. I even moved my computer behind a Linux box router with a firewall, and those connections open - so it doesn't seem like remote access. It's obvious to me that somehow I've become infected with a Virus that Norton's latest definitions can't detect - And Symantec is no help on this issue unless I want to pay them $30 for them to tell me nothing I don't already know.

Anyone have any advice on this thing? I'm keeping that computer disconnected from the internet for the time being, and so it seems okay - But I just have no idea how to figure out how or why those connections are opening - Even after the infected file has been deleted and a scan runs clean!

what os are you running?

what ports are you finding open?

info on the virus for others to read

dont just trust norton

i would do an online virus scan also
http://housecall.trendmicro.com/


another thing, did you so happen to get a message on irc saying to stop spam in IRC or something run this code?


https://grc.com/x/ne.dll?bh0bkyd2

there is a program on here that will test your firewall and tell you what ports are open and what they are used for.

You could if you want run the free verison of Zonealarm and see if anything hits the firewall. But if norton deleted it i think you should be pretty safe.

[Pyron]

Thanks for the input!

I'm at work right now, so I can't try these solutions, but I'll certainly give them a shot when I get back to the computer that's having issues.

Sorry for the lack of info - I should've said this earlier! I'm running XP with SP1 - Though I am lacking in certain critical updates. I plan on getting those ASAP - as I've just found them on Microsoft's site for download (Windows Updater doesn't work for me for some reason).

I know norton deleted the file that it claimed to be infected, but I still see the connections open still - Anytime I reactivate my connetion, that is. I don't remeber exactly, but most of them are on 37021 or something like that (37XXX for sure, also 30XXX). Two of the connections are certainly on port 57005, as warned by Symantec. Also, the IPs are sequential, leading me to be even more suspicious. Despite all this, Norton says I'm clean, even though with the IP change it has to be something happening from within my computer to open these connections.

I'll give the online virus scan a try as soon as I get home from work. Thanks again!

[Pyron]

Well, things haven't gotten much better, but here's the run-down.

I've installed the critical update for the exploit associated with this worm. That should prevent the same thing from happening over again... I've also updated Norton, and I've done two full system scans. Once with updated Norton, and once with the "Housecall" scanner linked in the above message. Both scans came up saying my system was absoluetly clean! Both scans were set to scan all files, and in compressed files. I've moved my computer off of the static IP I was on to a dynamic IP behind a Linux Box with a firewall.

But I'm still seeing these connections! Every few seconds, my computer broadcasts, I think. Running "netstat" I see this:

(Computer Name):33XX unknown.sagonet.net SYN_SENT

This will close after a little while, and then it will pop right back up on a different port. The XX's indicate rolling sequential numbers. After a while, anomolous connections will then be established, from such IPs as annoyances.org, sagonet.net, or sa.windows.com. Norton is on auto-detect, and from what I've seen, nothing malicious has happened - yet.

Can anyone provide any help? Why are these connections popping up? Why is my computer sending out these signals like this if I'm virus free? Does anyone have any suggestions?

Thanks for your time.