Every time I click on to the new TDR web page my firewall program alerts me that the site is sending me the Backdoor/Subseven trojan! My firewall's defalt is to block it but the event log says that the site trys to send it many times over the course of a few seconds. What the heck is going on here?
-
TDR Magazine subscribers receive more than the magazine! You also gain additional forum privileges!
Details here: TDR Privileges
Subscribe to TDR Magazine here: https://www.tdr-online.com/
backdoor/ subseven trojan
- Thread starter Terry
- Start Date
Attention: TDR Forum Junkies To the point: Click this link and check out the Front Page News story(ies) where we are tracking the introduction of the 2025 Ram HD trucks.
Thanks, TDR Staff
Blame your firewall
The TDR site only sending standard HTML. Since its a Linux Box, it cannot be infected by Windows Viruses.
Subseven is a Win32 trojan. When the infected file is run, trojan copies itself to \Windows\ directory with the original name of file it was run from then it copies a DLL file, WATCHING. DLL to \Windows\System\ directory . After this backdoor modifies the Registry so that it could be run during next Windows bootup. When Subseven is active in memory looks for TCPIP connections using which client can access or control remote system, where server version is installed.
In other words, your computer is infected from the inside, mostly likely through an email attachment and when the trojan sees you connect to our site it tries to spread itself to our site.
If it were on our site, Zone Alarm on my system and the firewall software on the server would have notified us.
See:
http://www.symantec.com/avcenter/venc/data/backdoor.subseven.html
Ken
TDR Admin
The TDR site only sending standard HTML. Since its a Linux Box, it cannot be infected by Windows Viruses.
Subseven is a Win32 trojan. When the infected file is run, trojan copies itself to \Windows\ directory with the original name of file it was run from then it copies a DLL file, WATCHING. DLL to \Windows\System\ directory . After this backdoor modifies the Registry so that it could be run during next Windows bootup. When Subseven is active in memory looks for TCPIP connections using which client can access or control remote system, where server version is installed.
In other words, your computer is infected from the inside, mostly likely through an email attachment and when the trojan sees you connect to our site it tries to spread itself to our site.
If it were on our site, Zone Alarm on my system and the firewall software on the server would have notified us.
See:
http://www.symantec.com/avcenter/venc/data/backdoor.subseven.html
Ken
TDR Admin
Last edited by a moderator:
I can support Ken on this one for sure!
Yep, Linux is not likely to spread that virus.
Sure if left to it's own devices and without any virus protection software one could pass a virus email through a linux box, but that box would never be infected by these microsoft related scripting worms.
I spent most of the last two days cleaning up the lastest attack of scripting worms on my email servers. Seems the guy I replaced was not big on virus protection... arggg
Another agreement with Ken, ZoneAlarm is a great product for your home PC! I paid for the pro version because I was so happy with the free version.
Yep, Linux is not likely to spread that virus.
Sure if left to it's own devices and without any virus protection software one could pass a virus email through a linux box, but that box would never be infected by these microsoft related scripting worms.
I spent most of the last two days cleaning up the lastest attack of scripting worms on my email servers. Seems the guy I replaced was not big on virus protection... arggg
Another agreement with Ken, ZoneAlarm is a great product for your home PC! I paid for the pro version because I was so happy with the free version.
Well I still don't understand what is going on. I'm running Norton personal firewall and Norton antivirus 2000 both are up to date and both load on boot up so there running all the time. I might add they have been in the machine since day one. When the firewall alerts me thats it's blocking the trojan, the antivirus doesent see a problem. And on a full system scan the antivirus can't find anything wrong, the firewall says it's blocking INCOMING Backdoor/ SubSeven trojan. I surf all over the net and the only time I get the warning from the firewall is when I'm on the TDR. I never have seen this untill the new site came on line. I tryed to get through to Symantec customer support but no luck there. Could someone be trying to attack my computer from another source when I just so happen to be on the TDR site?
This is interesting, try it out
http://security2.norton.com/us/intro.asp?venid=sym&langid=us
It will do a security sweep on your system. Don't worry, it will not start until you read the instructions and push the button(s).
My firewall went nuts when I ran it, so the program/site really does put your system through it's paces.
http://security2.norton.com/us/intro.asp?venid=sym&langid=us
It will do a security sweep on your system. Don't worry, it will not start until you read the instructions and push the button(s).
My firewall went nuts when I ran it, so the program/site really does put your system through it's paces.
Last edited by a moderator:
As a thought, try turning off your cookie support in your browser as a test. That might change the behavior and get a different reaction from the scanner.
The site is running on PHP, the cool part about that is that most of the calculations are being done on the server. Again, Linux as a server is less likely to be aiding the 'dark side' in sending you that kind of trojan. However, anything is possible these days.
My . 02 is that the 'signature' which the scanner is looking for is being duplicated by an unfortunate string of code in the TDR's webpage. That code is likely harmless but is fooling the scanner into warning you.
You are doing the right thing looking into it, press on until you figure it out. Someone else is bound to see the same thing if it truly is coming from the TDR.
If I had the same software suite I'd test it for you.
The site is running on PHP, the cool part about that is that most of the calculations are being done on the server. Again, Linux as a server is less likely to be aiding the 'dark side' in sending you that kind of trojan. However, anything is possible these days.
My . 02 is that the 'signature' which the scanner is looking for is being duplicated by an unfortunate string of code in the TDR's webpage. That code is likely harmless but is fooling the scanner into warning you.
You are doing the right thing looking into it, press on until you figure it out. Someone else is bound to see the same thing if it truly is coming from the TDR.
If I had the same software suite I'd test it for you.
Issue 128 – Digital Version
Digital Magazines
FREE!
TDR Test Drive - Digital Edition
Renew
Subscribe
Gift Subscriptions
Back Issues
Subscription Status
Address Change Form
Buyer's Guides
Ram Diagnostic Trouble Codes
The Perfect Collection
The Perfect Collection Vol. II
TSB Updates
Dodge/Cummins Historical Overview
Cameron Collection
What Makes Us Tick?
Product Showcase
Advertising
Turbo Diesel Register
Issue 128 – Digital Version
Digital Magazines
FREE!
TDR Test Drive - Digital Edition
Renew
Subscribe
Gift Subscriptions
Back Issues
Subscription Status
Address Change Form
Buyer's Guides
Ram Diagnostic Trouble Codes
The Perfect Collection
The Perfect Collection Vol. II
TSB Updates
Dodge/Cummins Historical Overview
Cameron Collection
What Makes Us Tick?
Product Showcase
Advertising
