Date Discovered: 3/17/2004
Date Added: 3/24/2004
Length: 61,440 bytes
The application known as Download Accelerator Plus (DAP.EXE) is known to trigger this incorrect identification.
The actual trojan was received using the file name, ntdsapi.exe (61,440 bytes). When the trojan is run, it connects to the irc server irc.alphanine.net , joins a specified channel, and awaits further instructions.
The trojan copies itself to the WINDOWS SYSTEM directory and creates a registry run key to load itself at system startup:
Run "ntdsapi" = "c:\windows\system32\ntdsapi.exe"
Indications of Infection
Unexpected IRC traffic (TCP port 6667) to irc.alphanine.net
The trojan drops an additional file in the SYSTEM directory, SVKP.SYS and attempts to register the file as a service:
Best Black Friday Deals
CNET editors are busy culling the list and highlighting what we think are the best deals out there this holiday season.