Is this a trojan ?

Discussion in 'Trojan Defence Suite' started by rayg, Jan 12, 2003.

Thread Status:
Not open for further replies.
  1. rayg

    rayg Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    41
    I had occasion this weekend to try and bring a friends computer up to date and explain a little about security. I took the opoertunity to load ZA Free on WinXP home after doing many updates from Windows update. The system is now bang up to date with patches. As I was doing this from behind my NAT router I did not bother too much about protection as the system had been on the NET for some months My other systems were fully protected and nothing has happened or was spotted by any monitoring I had running.

    However on loading ZAF A program popped up asking to connect to 25.0.0.0:SMTP it was called winkdp.exe installed (as I eventually found out) as a hidden system file in Windows/system32 I decided to disallow access as what it was asking did not "smell" right. I then decided to try and find out what it was and where it had come from.

    I tried to start task manager to see what processes were running, as soon as it was started it was terminated. Given the file system is
    NTFS I cannot use a DOS virus scanner at boot time so I decided to load up NOD32 V2 Beta as the most recent single install I could use. (lay my hands on) However when I tried to run nod32.exe I discovered that the file had been deleted. I installed it again over the top (having been asked to re-boot before) I then tried to run the program again and it was again immediatly deleted.

    I took the step of renaming the winkdp.exe to something else to see if anything was affected. All seems to run OK but then after a couple of re-boots I get asked to allow winkdc.exe access to the same location.

    Has anyone any ideas on what this may be and what the best way to eradicate it if it is not bona fide?

    Thanks for any suggestions.
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    rayg,

    It sounds like it might possibly be a variant of the KLEZ Worm. I would recommend going to the "Free Tools" section of Wilders and trying an online virus scan.

    Regards,
    Kent
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    rayg,

    No offense - but please don't cross post ;). I have addressed the same post over on the NOD32 Beta forum.

    This thread is closed.

    regards.

    paul
     
Thread Status:
Not open for further replies.