9 replies to this topic

[Gilroy]

Hello... I've posted as Greg (unregistered) until now. Decided it was time to actually register. :D

A member of my online community recently complained that she thought she may have received a "backdoor trojan virus" from SigmaChat. Here is what she said

Quote

I signed into the chatroom, played around a bit then left. A little while later I decided to check it out again cause I had more time. I went in and switched rooms and BOOM a Norton warning came up that I had backdoor.trojan on my computer. Not from an email like I usually get warned when one is on its way in...and I can delete it immediately and not worry about it infecting my computer. This time it wasn't warning me of an email... so my only assumption is that it came through the chatroom somehow... I have no idea.. I'm not virus versed. I've taken care of it now... so I'm clean, or so I think. I've never had to do this before.

She also said that Norton recommended she take this action:
http://www.sarc.com/avcenter/venc/data/bac...oor.trojan.html

Has anyone ever heard of this? Is it just Norton freaking out because the chat application is doing its job?

Please advise so I can relay the information to my members.

Thank you

[Chris]

Quote

Is it just Norton freaking out because the chat application is doing its job?

Sounds about right. My first guess would be that this user is running a "Internet Protection" type of application, not neccesarily a plain virus detector -- and it will probobly complain when any application makes a network connection that it hasn't specifically been told is OK. A virus scan would be a smart idea though, just in case it isn't the chat software it is complaining about.

We recommend to many users that they temporarily disable such applications if they are causing interference, there are many people out there with extremely paranoid setups that often time cause more headaches then they do help.

[ShadyNight]

That's odd, I myself use norton virus protetion and their firewall, I have never had that problem with the chat room.

Perhaps it is something to do with configuration of the virus protection?? I do know when I first set mine up that any page with java would set it off, but once I told it the chat (and the few site I visit) are okay it left me alone! hehe
(yeah I know, no help, but it is another perspective! :D )

[Chris]

:)

Recently I was working on a machine using Norton's firewall software trying to hookup a printer over a LAN and it popped up with a message a number of times telling me there was a possible trojan or the likes, and it asked me if I wanted it to ignore this in the future.. after 5 or 6 times telling it to ignore it, it finally quit bothering me ..

On the other hand, I've used machines running the same software and never heard it complain..

It's still very likely the problem may be with another piece of software too...

[Gilroy]

This is what I told the member who reported this problem.

Quote

Backdoor.Trojan is a generic detection for a group of backdoor Trojans. Your Norton antivirus didn't detect a specific virus.  It detected suspicious activity with trojan-like attributes. 

I will continue to research the problem, but I do believe that you're OK.  You may want to read the help documents that came with your antivirus software to determine if there is a way to ignore activity from specified programs

I do hope it was not a virus. :(

[Gilroy]

Ok... I'm a little worried about security. I've gone around and around with my members regarding this virus alert. I'm beginning to think that maybe there is a security issue here. I'm about to lay down the money for either the Professional or Platinum version and really need to be certain that I'm not going to be putting my members at risk for viruses.

Here's what was said by one member

Quote

I spent hours yesterday removing, deleting and reediting restarting and rescanning to make sure I was then bug free. It was on my computer, there is no doubt about it. It was not just a warning or my computer freaking out... it has never done it in 5 years and I've gone in many many chats. I'm not trying to argue, I just know what happened here and what the chat vendor doesn't know is that I have run virus applications for four or five years and have never encountered anything of this sort, my computer has never "freaked out" over anything before or even warned.

The computer is ok now cause of all the time I spent on it yesterday

What kind of effort has been (is being) done to protect members against this type of attack? I need to have reassurance that RaiderSoft is taking this seriously and is researching the problem.

Please advise.

[Chris]

This is from the Backdoor.trojan file information you provided in the link --

Quote

When Backdoor.Trojan is executed, it may create a copy of itself in the \Windows or the \Windows\System folder. In most cases, it uses one or more of the common loading points to make sure that it runs when you start Windows. For information about common loading points, read one of these documents:

This isn't even a possibility with Java applets. Applet software is forced, by design, to follow very strict security measures, and if software tries to break it it won't be allowed to execute. Our software cannot access your computer's files at all, nor does it try to.

SigmaChat is a simple chat applet. It merely opens a socket to our servers for real-time chat communication. It does not allow people to enter your computer, and it does not attempt to cause any harm to your systems.

Tens of thousands of people use SigmaChat daily. I assure you it is not a virus, a trojan horse/backdoor, or anything of the like.

In the two years we've been in business, this is the first I've heard of someone worried that our software is a backdoor or virus. Occasionally, internet protection software may complain because a non-standard port is being used, but nothing along the lines of a backdoor utility.

[Chris]

For those of you concerned with Java Applet security, I strongly urge you to read:

http://java.sun.com/sfaq/

which explains what Java applets can and cannot do. In reading this, know that SigmaChat is considered an Unsigned/Untrusted Applet loaded from a Java-enabled browser over the net.

[Gilroy]

Thanks Chris. That's exactly what I wanted to here. :)

[olcharlie]

We've just had a similar event with a user who believes he got it from another user. His Norton found a Trojan.Gen.2 virus in his java cache. He took care of it and reinstalled java, but 2 weeks later his Norton reported another Web Attack: JRE Trusted Method Chaining CVE-2010-0840 8, again in his java cache, both hits apparently from the same IP 031.184.237.014.

We have another user who has sworn a vendetta for being banned and apparently sells software for masking IP's, etc. Is there a way this person could acquire someone's IP address through contact here, assuming that person is highly skilled? I imagine your servers are pretty secure, but we've been playing Skipton UK hub, anchorfree proxy and some of the servers are blacklisted as spammers.

If you can reassure me nobody can snag info from our IP lists I'll be content and i imagine that possibility is a real stretch. Also if there's anyway to stop this person without sub netting all of creation, which i doubt, i'd be ecstatic. So reassure me on the one and remind me we live in an imperfect world on the other and we can write this off as venting. Thanks.