Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

IRC-Deport

by Marianna Schmudlach Mar 24, 2004 2:33PM PST

Date Discovered: 3/17/2004
Date Added: 3/24/2004
Origin: Unknown
Length: 61,440 bytes
Type: Trojan

The application known as Download Accelerator Plus (DAP.EXE) is known to trigger this incorrect identification.

The actual trojan was received using the file name, ntdsapi.exe (61,440 bytes). When the trojan is run, it connects to the irc server irc.alphanine.net , joins a specified channel, and awaits further instructions.

The trojan copies itself to the WINDOWS SYSTEM directory and creates a registry run key to load itself at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "ntdsapi" = "c:\windows\system32\ntdsapi.exe"



Indications of Infection

Unexpected IRC traffic (TCP port 6667) to irc.alphanine.net
The trojan drops an additional file in the SYSTEM directory, SVKP.SYS and attempts to register the file as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svkp


http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101134

Discussion is locked

Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info