|
f0r0r
Overview
f0r0r is a powerful trojan horse that is both hard to detect and
to remove.
Roger Roberts reports in his preliminary analysis
that the trojan is located in %SystemDir%\f0r0r\ where the following files are located:
dirote.exe, dorod.ini, redroses.exe, van32.exe, demo.xt, dordo.sys, kltye.exe, processes.exe, niamx.exe, romto.exe, wexp.exe, dir32.exe, dorod.exe, kolder.exe, ppi.exe
A sign of infection is ppi.exe and dirote.exe running in the Task Manager's process list. Roger Roberts reports that
"%SystemDir%\f0r0r\" is an invisible folder that stayed invisible even when configuring the system to
show hidden and system files. The directory could be viewed when booting the computer with a
Linux start-up CD.
The only suggested removal procedure I have come across is to boot the system using another operating
system such as MS-DOS, Linux or BEOS, find "%SystemDir%\f0r0r\" and delete it.
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Packetshack.org is also providing
an analysis of f0r0r.
SpywareInfo
reports the following about f0r0r: "It turns out our new parasite is protected by an open source NT rootkit called Hacker
Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows
it to hide a directory with a particular name while allowing files to exist there, hide open
ports from a port scanner while allowing connections to and from that port, hide processes in
memory from process managers along with other cute tricks. Anything protected by Hacker Defender
is a real pain to find and remove."
Classification
Trojan Horse
Files
dirote.exe, dorod.ini, redroses.exe, van32.exe, demo.xt, dordo.sys, kltye.exe, processes.exe, niamx.exe, romto.exe, wexp.exe, dir32.exe, dorod.exe, kolder.exe, ppi.exe
If you have any of the files related to f0r0r on your system,
please send them
for additional analysis. Generally, I have only analysed a
few versions for each software component listed at this web site. With your help I
will be able to look at both old and more recent versions of the f0r0r software.
Thank you very much for your time!
Log references
Vendor
Unknown
Privacy policy
No privacy policy available.
Detection
Bazooka Adware and Spyware Scanner detects f0r0r.
Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and
other potentially unwanted applications.
Read more »
Manual removal
Please follow the instructions below if you would like to remove f0r0r manually. Please
notice that you must follow the instructions very carefully and delete everything that is mentioned. In most
cases the removal will fail if one single item is not deleted. If f0r0r remains on your system
after stepping through the removal instructions, please double-check by stepping through them again.
- Boot your computer using another operating system, such as MS-DOS, Linux or BEOS.
- Find %SystemDir%\f0r0r\ and delete it.
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Restart your Windows operating system
-
Start the registry editor. This is done by clicking Start then Run.
(The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
- Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
- In the right pane, delete the value called 'rn4d', if it exists.
Problems uninstalling? Click here.
I'm looking for your help!
Thank you for using my site, I hope you find it useful. I'm looking
for help from all users, please read more.
Contact information for f0r0r's vendor
In order to provide correct, accurate and updated information about f0r0r
I encourage the vendor to contact me if any part of this write-up
needs a revision.
Related links |
|
Bazooka - Free scan for spyware, adware, trojan horses, keyloggers, etc. Detects more than 500 potentially unwanted applications. Freeware!
The File Database - Search the file database for more information. Free!
PopUp Blocker Test - Find out if your pop-up killer can handle all pop-ups. Free!
Kephyr Labs - Find out what is going on at Kephyr. Try products in an early stage of development.
|
|
|