Hi Jes,
If svcnxp32.exe is malicious it is likely that the box at 82.36.152.102 is
running an IRC server (I just checked and it is) and the Trojan on your
machine was attempting to 'phone home' (connect to the IRC server and await
instructions).
It's a shame you don't have a sample of the file for analysis :o)
Regards,
Simon
--
"A beginning is the time for taking the most delicate care that the balances
are correct."
---------- Original Message -----------
From: "Jes" <snuden@io.dk>
To: <focus-virus@securityfocus.com>
Sent: Mon, 6 Sep 2004 00:40:26 +0200
Subject: svcnxp32.exe ring a bell with anyone?
Hey list,
Rebooted my XP-box today to do a chkdsk. When it came back up my firewall
went beserk, warning me about an application called "svcnxp32.exe"
trying to connect to 82.36.152.102
I don't know what it is - I just know it has no business doing that.
A Google search for svcnxp32.exe came up blank.
After removing svcnxp32.exe from my registry and deleting the file from
C:\Windows\System32 I scanned my system with Kaspersky. No infection.
Scanned with AdAware, same result.
A RIPE WhoIs lookup on IP 82.36.152.102 shows it as belonging to
Blueyonder, apparently an Internet provider located in England. I've
emailed their abuse-department (not holding my breath though), but
would like to hear from you all if you've run into this or something
similar?
Using Tiny Personal Firewall, my log showed this:
Count:1
Module:Firewall
Action:Prevented
Application:svcnxp32.exe
Access:Outbound TCP access
Object:1027 -> 82.36.152.102
(82-36-152-102.cable.ubr04.perr.blueyonder.co.uk):6667 (ircu)
Interface:[9] Intel(R) PRO/100 VE Network Connection
Time:05-September-2004 23:46:40
Regards,
Jes
------- End of Original Message -------
