Backdoor.Agent.B and iSearch nightmare

Dennis Faas's picture

This feature article is a step away from our normal discussions, as I am currently out of town visiting a friend in Toronto, Ontario for the next few days.

RE: My encounter with the Backdoor.Agent.B Trojan

I arrived at Frank's place in Toronto this past Sunday, and was unable to access the Internet until Wednesday. Unfortunately, Frank's computer was host to 35 virus-infected files, 7 Spyware variants, 4 Trojans, and 2 Internet worms (including MyDoom and SoBig) -- and he didn't even know it.

I spent much of Monday and Tuesday "undoing" the damage caused by the malware. I have to say that with all my years of computing experience, the Backdoor.Agent.B Trojan virus and the iSearch toolbar were probably the most difficult, scum-sucking, bottom-of-the-barrel programs I've ever attempted to manually remove from a computer. Backdoor.Agent.B was particularly difficult to research on the 'net because the infected .DLL filename ("logapd.dll", in this case) was randomly generated by the Trojan. In other words, no other web sites on the 'net were talking about logapd.dll, because logapd.dll only existed (as a randomly generated filename) on Frank's computer.

Pretty tricky.

Thankfully, Norton Antivirus (which I recently installed) recognized the variant under its official call name (Backdoor.Agent.B), and and I was able to research further using Google. I eventually made my way to Symantec's web site, which provided manual removal instructions. After Agent.B was removed, undoing the rest of the damage to Frank's computer was relatively simple, although very time consuming.

Lessons Learned: how to avoid Spyware, Viruses, and Trojans in the Future

After it was all said and done, Frank learned a few valuable lessons:

  • First and foremost: there is no such thing as a free lunch these days. This is especially true for the many "free" downloads on the Internet which often come bundled with Spyware. One of the programs that Frank installed onto his machine recently was "Messenger Plus" (a plug-in for MSN Messenger), which I believe came bundled with the iSearch toolbar. Frank was very surprised to learn that Messenger Plus, although related to MSN Messenger, was in fact a third-party utility -- bundled with third-party software -- and not something that was released by Microsoft. Side note: If you ever have any doubt of whether a program you're about to download contains Spyware, simply visit Google.com and type in the name of the program, followed by the word "Spyware", and click the search button. Using the Messenger Plus example, the phrase to search for would be "Messenger Plus Spyware". Click here for an example.
     
  • Download Windows Updates as soon as they become available, and install them immediately. Although Frank set Windows Updates to download automatically, he chose to have Windows "remind [him] of pending updates". In other words, Frank chose to install the updates at a later time, rather than have Windows do it automatically. For instructions on how to automate Windows Updates for Windows XP, read this Microsoft article.
     
  • Make sure that your Virus Scanner is up to date. Frank was using McAfee Virus Scan version 5, with old virus definitions (dating back to April of 2002). The lesson learned: a virus scanner is only as good as its virus definition files, which need to be updated regularly: typically once a week or less.
     
  • Use an adequate Firewall. Frank was using an older version of Mcafee Firewall, which was not capable of informing him that programs running on his computer were communicating with the outside world. In fact, a number of the Trojans installed on Frank's computer were designed to "sniff" his passwords and send them to a remote computer (connected somewhere on the Internet). To correct this problem, I uninstalled Mcafee Firewall and installed ZoneAlarm (free).
     
  • And most importantly: Neither LavaSoft AdAware nor SpyBot Search and Destroy (two freeware Spyware removers which Frank had installed on his computer) were able to detect and remove the highly annoying iSearch toolbar / homepage hijacker. I had to manually remove the program myself, which required editing the System Registry (read this previous Gazette article for generic steps on how to remove any Spyware toolbar). After I told Frank that Spy Sweeper would stop Spyware *before* it had a chance to get on his system and cause harm, he quickly signed up for a 2 year subscription. More information on Spy Sweeper and how it works here.

Reminder: PC Security Guide

Much of what I have just briefly mentioned above is covered explicitly in my PC Security Guide. If you have any concerns about protecting your PC, privacy, and data, you should download the guide immediately!

Rate this article: 
Average: 4 (1 vote)