Aug 04

Trojan Horse SHeur.bzpu is a backdoor trojan

Tech Support, Virus Warning Add comments

We thought it might be an AVG false positive, but thanks to a helpful comment from Martyn (here)  we now know that’s not the case.

SHeur.bzpu is a backdoor trojan

http://www.microsoft.com/security/portal/SearchResults.aspx?query=SHeur.bzpu

Backdoor:Win32/Nuwar.gen!D

Aliases: SHeur.BCFX (AVG)

Description: Backdoor:Win32/Nuwar.gen!D is a generic detection for a backdoor trojan that allows unauthorized access to an infected computer. The trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This trojan also contains advanced stealth…

Published Date: 06/16/2008

Severity Rating: Medium

Popularity: 40% [?]

15 Responses to “Trojan Horse SHeur.bzpu is a backdoor trojan”

  1. Eli Orr Says:
    August 15th, 2008 at 8:06 am

    Any program to auto remove ?

    I’ve got AVG detecting it on a WD external disk.

  2. TheFrogPrince Says:
    August 16th, 2008 at 7:42 pm

    Confirmed.

    http://www.microsoft.com/security/portal/Entry.aspx?Name=Backdoor%3aWin32%2fNuwar.gen!D

    This is not a false positive.

    I am currently researching this post:
    http://help.lockergnome.com/windows/Trojan-Horse-SHeur-Issue-ftopict583909.html
    as an alternative to Microsoft Live!

    Not sure who I fear the most… the Russians?… or Microsoft? =o)

  3. TheFrogPrince Says:
    August 16th, 2008 at 7:44 pm

    Currently researching this link:

    http://help.lockergnome.com/windows/Trojan-Horse-SHeur-Issue-ftopict583909.html

    as an alternative to Microsoft Live!.

    Not sure who I fear the most… the Russians?… or Microsoft? =)

  4. Ego-Suicide 2 Says:
    August 17th, 2008 at 2:09 am

    To: TheFrogPrince

    I decided to respond to the email directly and through the link. Yes, I have confirmed Trojan Horse.SHeur to be a positive on certain occasions. The one that I encountered acted more like a worm than a Trojan (possibly Trojan.Worm/W32 class). It takes well to infecting the system restore and infecting processes. I email that I sent to TheFrogPrince contains a photo of what my Nod32 anti virus caught after trying to install Advanced Windows Care V3 Beta 2.8.2. I hope he uploads it soon and I am preping my computer for another wave of SHeur action, Just in case if it is a false positive, I will send the file for analysis and get my results soon (hopefully). I know this seems like a post itself but I have to reply about that. If we come across any new info, I will update my posts on this link.

  5. TheFrogPrince Says:
    August 17th, 2008 at 10:18 am

    OK… still playing around with this. Think I may have scared whatever I had into hiding. =)

    The layman’s term for “advanced stealth” is: rootkit.

    Microsoft offers a fairly detailed explanation of rootkits here:
    http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx#wha

    They offer a free rootkit detector (doesn’t clean the problem, but tries to identify if you have it). They also link to Phrack.org, which contains much more detailed information on the subject.

    I did run across this:
    http://www.freewarefiles.com/AVG-Anti-Rootkit_program_22524.html
    Oddly enough, this download is not advertised on the AVG website directly. This tool is not included in AVG Free.

  6. Ego-Suicide Says:
    August 24th, 2008 at 1:45 pm

    why didn’t AVG release that… I wonder if a lawsuit can be filed against them for some reason, someone who is smart enough will know the loopholes and find a way to do it IF they do see that link.

    Anyways, I thought AVG was all up for the safety of the public computers. Guess I was wrong about that, I’ll just go and buy a Nod32 license.

  7. Ron Shank Says:
    August 25th, 2008 at 8:43 am

    I still like AVG and recommend it to many of my consulting clients. I also like Avast. And for even more safety, I recommend leaving windows and going to Linux, or Mac. The choice depends mainly on your software needs.

  8. Ego-Suicide Says:
    August 31st, 2008 at 10:07 pm

    Ron, I can understand where you’re coming from on this matter. But right now I am frowning upon AVG and their customer support. And right now I can’t leave windows. If I had the chance, I would ditch windows and install Linux Edubuntu that my schools computer administrator gave me. Unfortunately, it likes to crash often so I have to stick with windows XP.

  9. Ron Shank Says:
    September 1st, 2008 at 5:24 pm

    Ego: give Avast a try and see if that works better for you. Be sure and report back here if you don’t mind. I really value your input.

  10. Ego-Suicide Says:
    September 3rd, 2008 at 6:05 pm

    ok ron, I will give Avast antivirus a try.

  11. Ego-Suicide Says:
    September 25th, 2008 at 8:09 pm

    Avast is working fine, a little heavy on the memory by my standards. But It’s doing its job. And I gathered more info about the SHeur virus. Turns out its actually a whole new strand of Trojans. A person that I was talking to about programming told me that it has 2 or more effects on your computer. effect 1: it degrades hardware (meaning it will fry your video card, cpu, cd drive, etc.). 2: it will copy your system data and send critical bits of it to the hacker. 3: it gives hackers full access to your computer and will take control of the cpu, giving you something similar to the BSD while the hacker is going through your system as he pleases. Turning off your computer durring effects 2 and 3 WILL damage your system. If it is detected in the system restore, throw it in the virus vault ASAP. This virus has fried my CD drive! T_T

  12. Jo Says:
    November 27th, 2008 at 3:55 pm

    HELP! I installed AVG yesterday as I was fedup with Norton constantly needing updating and costing me a fortune. Today I have turned my computer on and been told I have Trojan Horse SHeur. I have no idea bout these things and don’t know what to do to get rid of it. HELP!!!!!

  13. Ego-Suicide Says:
    January 2nd, 2009 at 2:06 pm

    AVG has had a few bugs before 7.5 ended… 8.0 was fine until a certain update that caused a bug. I’m not sure what to say, I would quaritine the object in the virus vault for now and create a hijackthis log and submit it to a fourm where a volunteer will analyze and give his diagnosis on your computer. And it is a bug if you use Quicken products (AVG just hates those programs for some reason). So there is a chance that it will be a glitch.

  14. Jason Says:
    December 5th, 2009 at 2:03 pm

    Also in need of guidance…Things are NOT looking good….. I came across the SHeur.BYD have done some research and currently i am confused if it an actual virus on my CPU or if AVG is falsely reporting it. Can anyone assist.?

    Here are the details. The Virus is “detected” anytime I put a Legit (bought at a store) CIV 4 game disc in the D: Drive. I am currently running a system scan, the only thing to be identified so far are cookies. During my 1st install run of CIV 4, my system froze after the “insert disc 2″ screen. i had to power off and restart, i looked under the install/remove programs to remove the partial install, but was unable to find any created program (makes sense) re-inserted disc 1, the title screen came up (“Play” “Details” “Exit) I clicked exit. went to run D: after the disc started spinning up, the virus detected popped up. The interesting thing though is that the file location is D:\DIAG.EXE and of the two options after virus detection is remove and heal. A message stating the file can not be healed “object(s) are on an optical drive” Is this just AVG wrongly reporting a “normal” file used to install the game, or is this just that messed up…….Any Ideas…. Please…..

  15. Ron Shank Says:
    December 16th, 2009 at 1:18 pm

    I’ve started using and recommending avast anti-virus.

Leave a Reply

Switch to our mobile site