Way ahead of you. CC usage shows so far nothing I can't recognize (although
I'll scrutinize the bills very carefully for the next couple of months), all
passwords to online services have been changed (just in case), and my other
2 machines are clean.
Regards,
Jes
-----Original Message-----
From: Andrew Smith [mailto:stfunub@gmail.com]
Sent: Wednesday, September 08, 2004 21:47
To: Jes
Cc: Simon; focus-virus@securityfocus.com
Subject: Re: svcnxp32.exe ring a bell with anyone?
There are to types of illegitimate IRC bots, those that are used for spam
and those that are used for denial of service attacks. I beleive ircspy.com
uses legitimate bots. The bot on your computer will have
(probably) been connecting to an IRC channel where it was controlled by
whoever spread it, they could have run anything including keyloggers. If you
have entered credit card information on that computer recently i would
certainly check your card for fraud. Also if you have a home network check
other computers for infections, some of these bots spread localy as well as
on the internet.
On Tue, 7 Sep 2004 19:40:23 +0200, Jes <snuden@io.dk> wrote:
Hey Simon,
Yeah I discovered that too after some further investigation. I'm still
trying to figure out what I did to let the li'l bugger into my
registry though - it sneaked in during a period between reboots where
I hardly touched the box at all.
Oh well, I'm just glad my firewall gave me a shout - as for keeping it
for analysis I probably should have but at the time it was a matter of
"cleaning house" as fast as possible :) It'll show it's ugly face
again soon enough I'm sure, but if it's like most IRC-bots it either
collects information for sites such as www.ircspy.com or sends
advertising messages to anyone and everyone joining whichever channels
it resides in.
Regards,
Jes
-----Original Message-----
From: Simon [mailto:simon@zendifferential.net]
Sent: Tuesday, September 07, 2004 14:09
To: Jes
Cc: focus-virus@securityfocus.com
Subject: Re: svcnxp32.exe ring a bell with anyone?
Hi Jes,
If svcnxp32.exe is malicious it is likely that the box at
82.36.152.102 is running an IRC server (I just checked and it is) and
the Trojan on your machine was attempting to 'phone home' (connect to
the IRC server and await instructions).
It's a shame you don't have a sample of the file for analysis :o)
Regards,
Simon
--
"A beginning is the time for taking the most delicate care that the
balances
are correct."
---------- Original Message -----------
From: "Jes" <snuden@io.dk>
To: <focus-virus@securityfocus.com>
Sent: Mon, 6 Sep 2004 00:40:26 +0200
Subject: svcnxp32.exe ring a bell with anyone?
Hey list,
Rebooted my XP-box today to do a chkdsk. When it came back up my
firewall went beserk, warning me about an application called
"svcnxp32.exe" trying to connect to 82.36.152.102
I don't know what it is - I just know it has no business doing that.
A Google search for svcnxp32.exe came up blank.
After removing svcnxp32.exe from my registry and deleting the file
from C:\Windows\System32 I scanned my system with Kaspersky. No
infection. Scanned with AdAware, same result.
A RIPE WhoIs lookup on IP 82.36.152.102 shows it as belonging to
Blueyonder, apparently an Internet provider located in England. I've
emailed their abuse-department (not holding my breath though), but
would like to hear from you all if you've run into this or something
similar?
Using Tiny Personal Firewall, my log showed this:
Count:1
Module:Firewall
Action:Prevented
Application:svcnxp32.exe
Access:Outbound TCP access
Object:1027 -> 82.36.152.102
(82-36-152-102.cable.ubr04.perr.blueyonder.co.uk):6667 (ircu)
Interface:[9] Intel(R) PRO/100 VE Network Connection
Time:05-September-2004 23:46:40
Regards,
Jes
------- End of Original Message -------
