Hier ligt dus een mooie taak voor u als docent en uw collega's. :) Edoch,
het winst-percentage van beveiligings-ontwikkelaars is nog nooit zo hoog
geweest, dus ergens wordt de beginnende pc-er toch bewust van de
risico's. En op p2p-sites is naast films/muziek dwonloaden de antivirus-
produkten en aanverwante zaken heel populair, een prettige
bijkomstigheid! Geeft dit als lesmateriaal als het over spyware gaat:
http://home01.wxs.nl/~kleyn080/Spywareinfonl.html Gratis
info/programma's.

Ik ken die site maar toch zeer bedankt.

Hallo, ik heb een anti virus geinstalleerd NORTON 2004 en ik had 3
virussen in mijn pc, nu zijn er 2 gewist maar 1 kan de anti virus niet wissen
het BACK DOOR JEEM virus... ik zoek alle mogelijkheden op om dit te
wissen maar het gaat niet! zou u mij kunnen helpen a.u.b??
ik krijg ook al tijd in mijn pc een programma dat zich automatisch
instaleerd telkens je de pc opstart over "sex" als ik op desinstalleren druk
gaaat het een uurtje weg en daarna komt het terug , zo kan ik geen 32
kleuren maar hebben maar 16 maar!!! aub help hoe moet BACKDOOR
JEEM WEG??? dank bij voorbaat.

Je moet je pc even in veilige modus opstarten en daarna nog een keer
scannen met norton ofzo. Mocht dit niet werken moet je hem even
handmatig deleten...

gevonden met Google "backdoor jeem removal"

When Backdoor.Jeem runs, it does the following:

It copies itself as C:%system%Msrexe.exe.

Note: %system% is a variable. The Trojan locates the Windows
System folder and copies itself to that location. By default
this is C:WindowsSystem (Windows 95/98/Me),
C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32
(Windows XP).

It adds the value

System Service C:%System%msrexe.exe

to the registry key

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

so that the Trojan runs when you start Windows.

It adds these values:

1c3943
4lkf83
vk8593
2340v93
4c34
c0948273
398349873

to the registry key

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionWelcome

It creates the registry key

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesSwartax

and adds this value to it:

ImagePath C:%System%msrexe.exe

The Trojan opens three TCP ports to allow the hacker to
remotely control the infected computer. One TCP port is used
for SMTP service; this allows the hacker to send email
through the compromised system.

recommendations

Symantec Security Response encourages all users and
administrators to adhere to the following basic security
"best practices":

* Turn off and remove unneeded services. By default,
many operating systems install auxiliary services that are
not critical, such as an FTP server, telnet, and a Web
server. These services are avenues of attack. If they are
removed, blended threats have less avenues of attack and you
have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network
services, disable, or block access to, those services until
a patch is applied.
* Always keep your patch levels up-to-date, especially
on computers that host public services and are accessible
through the firewall, such as HTTP, FTP, mail, and DNS services.
* Enforce a password policy. Complex passwords make it
difficult to crack password files on compromised computers.
This helps to prevent or limit damage when a computer is
compromised.
* Configure your email server to block or remove email
that contains file attachments that are commonly used to
spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further
compromising your organization. Perform a forensic analysis
and restore the computers using trusted media.
* Train employees not to open attachments unless they
are expecting them. Also, do not execute software that is
downloaded from the Internet unless it has been scanned for
viruses. Simply visiting a compromised Web site can cause
infection if certain browser vulnerabilities are not patched.

removal instructions

The following instructions pertain to all current and recent
Symantec antivirus products, including the Symantec
AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode.
4. Run a full system scan, and delete all files that are
detected as Downloader.BO or Backdoor.Jeem.
5. Delete the values that were added to the registry.

For specific details on each of these steps, read the
following instructions.


1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend
that you temporarily turn off System Restore. Windows Me/XP
uses this feature, which is enabled by default, to restore
the files on your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System Restore
may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus
programs, from modifying System Restore. Therefore,
antivirus programs or tools cannot remove threats in the
System Restore folder. As a result, System Restore has the
potential of restoring an infected file on your computer,
even after you have cleaned the infected files from all the
other locations.

Also, a virus scan may detect a threat in the System Restore
folder even though you have removed the threat.

For instructions on how to turn off System Restore, read
your Windows documentation, or one of the following articles:

* "How to disable or enable Windows Me System Restore"
* "How to turn off or turn on Windows XP System Restore"


For additional information, and an alternative to disabling
Windows Me System Restore, see the Microsoft Knowledge Base
article, "Antivirus Tools Cannot Clean Infected Files in the
_Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus
definitions for quality assurance before they are posted to
our servers. There are two ways to obtain the most recent
virus definitions:

* Running LiveUpdate, which is the easiest way to obtain
virus definitions: These virus definitions are posted to the
LiveUpdate servers once each week (usually on Wednesdays),
unless there is a major virus outbreak. To determine whether
definitions for this threat are available by LiveUpdate,
refer to the Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent
Updater: The Intelligent Updater virus definitions are
posted on U.S. business days (Monday through Friday). You
should download the definitions from the Symantec Security
Response Web site and manually install them. To determine
whether definitions for this threat are available by the
Intelligent Updater, refer to the Virus Definitions
(Intelligent Updater).

The Intelligent Updater virus definitions are
available: Read "How to update virus definition files using
the Intelligent Updater" for detailed instructions.


3. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at
least 30 seconds, and then restart the computer in Safe mode
or VGA mode.

* For Windows 95, 98, Me, 2000, or XP users, restart the
computer in Safe mode. For instructions, read the document,
"How to start the computer in Safe Mode."
* For Windows NT 4 users, restart the computer in VGA mode.


4. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure
that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the
document "How to configure Norton AntiVirus to scan all files."
* For Symantec AntiVirus Enterprise products: Read
the document "How to verify that a Symantec Corporate
antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with
Downloader.BO or Backdoor.Jeem, click Delete.


5. Deleting the values that were added to the registry
WARNING: Symantec strongly recommends that you back up the
registry before making any changes to it. Incorrect changes
to the registry can result in permanent data loss or
corrupted files. Modify the specified keys only. Read the
document, "How to make a backup of the Windows registry,"
for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key


HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
4. In the right pane, delete the value:

"System Service"="C:%System%msrexe.exe"
5. Navigate to the key


HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWelcome
6. In the right pane, delete these values:

1c3943
4lkf83
vk8593
2340v93
4c34
c0948273
398349873
7. Navigate to and delete the key


HKEY_LOCAL_MACHINESystemCurrentControlSetServicesSwartax
8. Exit the Registry Editor.

hallo ik ben diegen dat op 9november een mail heeft gestuurd in verbrand
met dat BACKDOOR JEEM virus.... nu blijkt dat backdoor jeem een
TROJAN is dus dat iemand mijn pc heeft gehackt?!
nu vandaag 12november kan ik mijn pc NIET MEER OPSTARTEN!!!
telkens ik mijn pc opstart, herstart ie zonder dat op mijn bureaublad kan
kome! ik kan mijn pc ook onmogellijk uitdoen... ik moet telkens de stekker
uittrekken! nu gaat mijn pc maandag naar een informaticus! die gaat kijken
wat er mee scheelt! maar zou u mij toch nog informatie kunnen geven over
het BACKDOOR JEEM "virus"? alvast bedankt... dank bij voorbaat

----->>een Belg<-----

Nee. Dit betekent dat JIJ het verkeerde bestand aangeklikt hebt.


bron: http://www.virusalert.nl/?show=faqs

Ben ik het niet helemaal mee eens. Een backdoor wordt
hierbij geclassificeerd als trojan.. maar bij (vrijwel) alle
succesvolle hacks wordt een backdoor geladen, dus de
backdoor kan ook gewoon geen trojan zijn. In dit geval zie
ik een trojan als een backdoor die is 'geinstalleerd'
doormiddel van de trojaanse techniek zodat in dit geval
meestal de gebruiker zelf de backdoor start, in die vorm dus
een trojan; een backdoor vermomd als iets anders