Backdoor.Mard ........ HOW do I remove it

[Gary R]

Updated AVG today (Tues) & ran it. It detected the following:
:
Backdoor.mard in Mirc32.exe.
:
:
What is the procedure for removing it/
Do I have to back up all files, or can it be disposed of safely?
How come AVG & ZoneAlarm (both freeware versions) let it through

 

[$teve]

because its not a virus,its a trojan..........a/v software is not equipped to deal with most trojans.
if avg detected it,see if it can deal with it..........if so,it should be ok.
in any case,download "the cleaner" www.moosoft.com
update and run the program.
it will deal with it.
need any more help........just ask.
good luck

 

[brendandonhu]

ZoneAlarm manages internet traffic, thats all.

You said AVG detected it, and then you said AVG let it through

 

[Gary R]

UPDATE!!!!
:
Just tried to run mIRC32 ...... When AVG fixed the trojan, it removed the mirc32.exe file, so I will have to reload the program
:
:

$teve .... Ok, thanks for info on that Trojan program. Will take a look at it. Might be good idea to get it since I get on IRC fairly often.
:
:
Brendandonhu....
:
Ok, here's what happened, AVG had an update on their site & so I downloaded it. After doing so, I ran it, and it said Backdoor.mard had been detected but that was all--it didn't offer to fix or quarantine it.
Each time I clicked on the Mirc folder a warning screen came up warning me that Backdoor.mard was found and did i want to keep it from working, & AVG showed a "Allow Access" NO button and it also ran a 30 second timer. I would hit enter, & the warning screen would go away. I looked around in Mirc folder to see if I could find something--I didn't tho'
:
I posted my question..., then just for the heck of it I ran WindowWasher 4.7 with all boxes except those for AOL checked, then scandisk, & Defrag.
After running Defrag, I then ran AVG, & this time it informed me Backdoor32.mard had been found and was being fixed. Then it said the trojan had been quarantined.
I turned the comp off, let it set a minute or so, then turned it back on, and there was no AVG warning, so out of curiosity I ran AVG again & it said everything was fine -- no viruses detected....

 

[$teve]

gary.....if you use mirc then the cleaner is a good thing to have.
it sits there silently monitoring your system and wont let anything change any registry settings until you ok it.which is handy if anything sneaks by your firewall.

 

[Enigma_DS]

I have reason to believe this is a bug in the newest update that grisoft/avg released on Jan/21/2003. I have two old copys of mirc 5.7 sitting on an backup partition that AVG picked as being "backdoor.mard". While info on backdoor.mard seems to be non-existant.. all Ive managed to find is that it first showed up late summer of 2000. So I really have no idea how it is contracted. But I watch my systems heavly and keep them upto date so it seems weird this would just happen. To test this theory I downloaded a clean (or so I hope) copy of 5.7 from http://mirc.stealth.net/download/oldver.html and scaned it with AVG.. sure enough it claimed the mirc32.exe for 5.7 was infected with "backdoor.mard". Im starting to question if this is an error in grisofts latest avg update. Granted in theory it could be posible that as soon as I downloaded and extracted the file something in the background could have infected the mirc32.exe file that seems out of the question as I know everything thats running in the background and its the normal services that have always been running. Also if AVG picks up backdoor.mard in mirc32.exe in theory it should pick it up else where. Again having no idea how backdoor.mard works its only a guessing game right now. Older versions of AVG didnt pick this up and it doesnt pick this up with mIRC v6.03

Ill report the findings of the rest of my test soon.

oh and AVG for me when it found it "healed its self" (quarantined it).

 

[Enigma_DS]

My testing with an older version of AVG and with the latest version of The Cleaner found nothing. This has got to be an error with grisofts latest AVG update. I even ran the so-called trojan and watched where I connected to.. the only thing I connected to was the server I wanted to connect to. I dont see any weird connections while running it. Im reporting this to grisoft/AVG and see what they say. Seeing as this backdoor.mard is almost 3 years old I dont think there would be some all of a sudden out of nowhere update to it.

 

[Enigma_DS]

so avg agrees this seems to be an error in the latest update. Here is an email I got from them in reply to my reporting of this problem.




Dear Sir/Madam,

We are very sorry about the problem
Reported problem will be solved in the next update of AVG 6.0
Anti-Virus

Best regards,

Miroslav Koutny
AVG Technical Support

website: http://www.grisoft.com
mailto: [email protected]
On Fri, 24 Jan 2003 03:48:24 -0500 you wrote:

>I downloaded the 1/21/2003 update to AVG and it found an old backup
of mIRC
>5.7 mirc32.exe to be infected with "backdoor.mard". Questioning this
I
>looked for info dealing with "backdoor.mard" and while I found no
really
>helpful info about it, I did find that its from around the summer of
2000.
>Something that old I dont see as all of a sudden getting an update
to it
>that would warrent AVG picking it up when it never has before. To
test this
>I used a common trojan finder called "The Cleaner" from
>http://www.moosoft.com/thecleaner. It didnt find anything either. I
also
>tested this with an older version of AVG and it didnt find it
either. Seeing
>as the new update doesnt speak of adding detection of a
"backdoor.mard" and
>that "backdoor.mard" is nearing 3 years of age this testing leads me
to
>believe that this is a false positive caused by the 1/21/2003 AVG
update.
>Just to test even more so I ran the so-called infected file and
watched
>where I connected to. There was only one connection made.. and that
was to
>the server I was connecting to. This also leads me to believe that
this is a
>false positive caused by the 1/21/2003 AVG update. Then I went out
and
>downloaded a clean version of 5.7 from
>http://mirc.stealth.net/download/oldver.html and the 1/21/2003
update also
>said it was infected with "backdoor.mard".. however an older version
of AVG
>nor did The Cleaner find anything. Again this leads me to believe
that this
>is a false positive caused by the 1/21/2003 AVG update. Im not the
only one
>to have this problem. I found this fourm tonight in which someone
speaks of
>the same problem. That fourm/thread can be found here
>http://forums.techguy.org/t114558/s25203a227fef5477e8d94807a4a33ea3.h
tml
>
>It would be nice if you would download 5.7 from
>http://mirc.stealth.net/download/oldver.html and test it to see if
this is a
>true infection or a false positive caused by the 1/21/2003 update.
If this
>however is a true infection I would very much like to know and know
more
>info about "backdoor.mard" as there is a security flaw on one of my
machines
>that needs to be found.
>
>
>Thank you for your time.
>

 

[dvl666stn]

I myself found that i had the Backdoor.mard virus when i updated AVG.. The only diffrence i noticed was my keyboard was all screwed up example:- p-3 w-1 etc etc...

Also on booting (loading windows XP) i noticed my keyboard lock light came on and stayed on...

Sure this is a mistake by AVG ?

Regards

Mike

 

[brendandonhu]

If it happened to both of you, I'll bet its a problem with AVG.

 

[Bdaz1]

I too was alerted by AVG that it found the Trojan Horse "BackDoor.Mard". I also updated AVG on 1/23/03.

It said it was 1 infected file: C:\_RESTORE\TEMP\A0612379.cpy
and recommended moving it to the "Virus Vault". Upon selecting this option, AVG said it cannot delete this file and terminated the AVG program showing 1 Virus found, 0 files fixed, 1 virus still on the PC.

I also email AVG Tech Support and am awaiting an answer. I did download the trial version of "The Cleaner" mentioned earlier in this thread and ran it. The Cleaner did NOT find the Backdoor Trojan.

 

[brendandonhu]

OK its definitely giving a false positive on certain files and backdoor.mard.

From this thread alone theyve been emailed twice, im sure it will be fixed. For now, ignore AVG if it reports this virus.

 

[Gary R]

When AVG found .mard it just said it was being fixed, then quarantined. Then I found out that the .exe file for mIRC5.7 had been deleted.
I downloaded / set up mIRC 6.03 & so far no problems with AVG -- however, they hadn't updated their files by late Saturday nite (Pacific Coast time), so anxious to see if they do get the problem cleared up.

 

[thumper66]

its now 5.05pm gmt on Tuesday 28/1/03 and as of yet theres no word of an update on the Grisoft site. I've had this problem and so have some friends ..but I suppose its slightly better that its a false positive than missing a real infection

 

[djtipmothee]

I have exactly the same problem with the exact same symptoms.