On Thu, 27 Oct 2005, James David Byrne wrote:
I notice an entry that I previously overlooked in HijackThis
for Run: [WindowsXPserv] svcnxp32.exe, which I understand may
be undesirable. However no file exists of this name
(including within hidden/system files) on the drive.
You may first want to be *sure* this trojan is REALLY gone from
your system.
-----------------------------------
<http://www.sophos.com/virusinfo/analyses/trojsmalluw.html>
Troj/Small-UW is a backdoor Trojan which allows a remote
intruder to access and control the computer via IRC channels.
When first run Troj/Small-UW moves itself to the Windows system
folder as svcnxp32.exe and creates the following new registry
entry, so that svcnxp32.exe is run automatically on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsXPserv = svcnxp32.exe
Whilst the Trojan is active it refreshes this registry entry
every 1 second in an attempt to prevent its deletion.
Troj/Small-UW tries to connect to a remote IRC server on port
6667 using a random nickname and join a specific channel.
The Trojan then listens on the channel for instructions
specified by a remote intruder. A remote intruder can instruct
the Trojan to carry out various actions such as download and
run new executable files.
-----------------------------------
--
----------------------------------------
To Change your email Address for this list, send the following message:
CHANGE WIN-HOME your_old_address your_new_address
to: [EMAIL PROTECTED]
Note carefully that both old and new addresses are required.
