Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: unknown trojan (attached)

From: bkittler () EARTHLINK NET (Brandon Kittler)
Date: Sat, 10 Jun 2000 22:55:22 -0700

I had the same problem. The trojan resides in c:\windows\srvcp.exe.
It is started at run time via the registry, in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
The program is listed as "Service Profiler". I came across it the other day, and
wondering what it was,
pulled all the strings out. It runs an ident daemon, as well as an IRC
connection which it recives commands
over (retrieval of FTP files, run cmds, etc). If you telnet to 113 and issue an
invalid ident request, the trojan
crashes immediatly.

Extracted from srvcp.exe:
...
00529F ftp -s:c:\flog
0052B1 quit
0052BC c:\flog
0052CE CHAN
0052D3 REMSERVER
0052DD ADDSERVER
0052E7 SOUPCHAN
0052F0 SETNAME
...
00548C PRIVMSG %s :ok.. running
0054A6 PRIVMSG %s :couldn't spawn file
0054C7 PRIVMSG %s :successfully spawned ftp.exe
0054F1 PRIVMSG %s :couldn't spawn ftp.exe
005515 PRIVMSG %s :no more...
00552D PRIVMSG %s :ready and willing...
...

Obviously, this isn't supposed to be there :)

Brandon Kittler
bkittler () iname com
Previous By Date Next
Previous By Thread Next

Current thread: