NOD32 - IRCBot.LH Trojan Detection - svshost.exe

I have just come back to my computer to find that NOD32 appears to have detected the IRCBot.LH Trojan in my svshost.exe file.

Now, I think this file is important to my system and this message appears to have occured after updating some software that is running 'OK' on another system with different AV software. So, I have run TDS-3 (Full System Scan), Spybot Search & Destroy, AdAware6 and also have Spywareblaster running. None of these have shown any errors.

From what I can discover, this is an old threat and so would assume that TDS-3 should be able to discover it.

Any tips or hints as to what I should do now as AMON cannot clean the file. (and I'm not sure that I want it to at this point in time ). If this is a false positive, how do I 'allow' the detection?

 

Well,is the file svshost.exe or svchost.exe ?

 

This is how NOD32 describes the file:

C:\WINDOWS\system32\svshost.exe - Win32/IRCBot.LH trojan

 

dear Colin, RejZor has a valid point. if its SVSHOST.EXE you can delete this file. if its SVCHOST.EXE please give us the whole path. the best idea would be to submit this file to NOD32 for inspection.

 

geez you are fast. looks like the legitimate file. should be 12800 bytes long. submit it to NOD32. they'll analyse and decide.

 

Definitely svShost.exe.

OK, being new to this game and saving a bit of time, what is the procedure for sending files to ESET? Do I need to do anything in particular?

I apologise in advance if these are dumb questions

 

Dumb Question, just found the info on the ESET site!!

 

ah i should check my eyes again. well Colin if its SVSHOST.EXE and residing in system32 directory its a bad bad thing. check if you have SVCHOST.EXE in the same directory which should be 12800 bytes long. its OK you can ask your questions. just mail the file to this address sample@nod32.com

 

OK, I have svC at 13KB and svS at 34KB.

Now, how do I get rid of this thing - just delete it? (of course after sending it to ESET) Norton used to do this sort of thing for me!!! and this makes me just a little nervous - especially as you say it is a 'bad bad thing' !!

BUT, the analyst side of me wants to know more about it - as long as it doesn't do me any harm

 

If you want, you could upload the svS file to Kaspersky too. Always nice to have a second opinion. But I'm sure that's a nasty, it's not a system process.

Kaspersky

 

Just delete it. This is one of the most common methods how to confuse users with names similar to those used by system.

Examples (1:is legit, 2:is fake/malware)
1:lsass.exe
2:lsasss.exe
1:iexplore.exe
2:iexplorer.exe
1:svchost.exe
2:svshost.exe

Notice small hidden differences?

I have also seen files that are named 100% same as legitim files,but they were just placed in the wrong place (explorer.exe cannot be located in %win%/system32 folder)

 

Submitting as a zipped file to both companies - my ISP threw back the original email sas suspected of containing Netsky virus

 

Kaspersky responded already.

This is IRC based backdoor program.
We already detect it as Backdoor.IRCBot.gen

Feel a lot happier now


Thanks Guys

 

dear Colin delete that file. if you want to submit then remember this rule of thumb: ALWAYS SUBMIT VIRUS IN PASSWORD PROTECTED ARCHIVE AND REMEMBER TO MENTION THE PASSWORD IN YOUR MAIL. in this way no one will be able to scan and delete your mail...well almost.

 

The best way to submit so that ALL av companies get the file as this benefits everyone (there should be no competition in this area between av companies) is to go to dslreports/broadband reports security forum and use the submission tool there. This will submit to all av companies. We have another thread in this forum discussing the fact that Eset may or may not have agreements with all other av vendors to share and the purported lack of sharing may be why Eset lags in adding threats to its base (or may not be). We users can help all vendors and all users by always submitting to every vendor.

The procedure "To Submit Suspected Malware" is about 2/3rds of the way down the page at this link:

http://www.dslreports.com/faq/8428#submit

 

I have archived the file. It would appear that this is an 'old' threat and I will review what has happened, along with the links and set up a procedure to follow next time something like this happens.

Saw the thread regarding ESET and the 'other AV's' thought that on this type of thing, everyone should co-operate, it's in ALL of our interests. But then, one hears the voice of profits and market lead (sigh).

Thanks for the inputs people. I sincerely appreciate every single response. I will sleep happier tonight knowing how NOD32 intercepted the Trojan and also with the responses I have received on this Forum. RESPECT!!!