Removal of a backdoor Trojan from a Windows 2003 server

  • Posted:
  • Proposals: 3
  • Remote
  • #231123
  • Completed
Adam F.Jose Luis M.Martin D. have already sent a proposal.
  • 1


Experience Level: Expert
I run a managed web server. We make extensive use of Cold Fusion.

We appear to have a Trojan running on the server. The most obvious symptom is the appearance of a rogue file which, when it runs, causes an overload on our Cold Fusion system which results in a failure of that service.

As soon as the task accociated with the rogue file, windos.exe, is ended in Task Mgr and the copy of the file deleted from the C drive the CF activity overload drops back to normal.

Sometimes there are two instances of the process in task manager.

Until today, windos.exe was tending to make a roughly regular appearance resulting in my terminating it. It would then appear again maybe 2 to 3 hours later.

But the game appears to be changing now with the file re-appearing a matter of a couple of minutes or less after deletion.

This is obviously a bit freaky as there appears to be no way to stop the re-occurrance.

Reading what little there is on Google about this file there is a suggestion that it may be linked to a backdoor Trojan called Bifrost.

Bifrost seems to install a load of hacker stuff onto a server in hidden files, providing the hacker with a lot of control over the machine.

I don't know how automated these re-appearances are, whether they are a software actions or something being done by someone in the flesh. The current rapid re-appearances have a very human feeling about them. And I've just spent an hour or so ending the task each time it has appeared and now it's all gone quiet.

I think a server restart helps because it breaks the connection with the external agent.

I've searched for files that are supposed to be linked to Bifrost but I can't find any. It's very likely that if they exist on the server they are now using different filenames.

One irony with all this is that we don't actually manage the kind of data these idiots are after… financial account passwords etc…

We are small business running on a very low profit base. We can't afford to have this kind of distraction (which at worse requires server restarts at any hour of the day). Nor can we pay a lot of money to get it fixed...

My budget as show here is based on no sense at all of what is involved here! So it's pretty arbitrary.

Other info... we run Symantec Anti Virus. We Installed Trojan Hunter after becoming aware of the problem (TH and Symantec scans have located some issues that have been dealt with, but the problem outlined above is persisting).

New Proposal

Create an account now and send a proposal now to get this project.

Sign up

Clarification Board Ask a Question

    There are no clarification messages.