NOD32 - IRCBot.LH Trojan Detection - svshost.exe

Discussion in 'NOD32 version 2 Forum' started by ceejay13, Jun 18, 2004.

Thread Status:
Not open for further replies.
  1. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    I have just come back to my computer to find that NOD32 appears to have detected the IRCBot.LH Trojan in my svshost.exe file.

    Now, I think this file is important to my system and this message appears to have occured after updating some software that is running 'OK' on another system with different AV software. So, I have run TDS-3 (Full System Scan), Spybot Search & Destroy, AdAware6 and also have Spywareblaster running. None of these have shown any errors.

    From what I can discover, this is an old threat and so would assume that TDS-3 should be able to discover it.

    Any tips or hints as to what I should do now as AMON cannot clean the file. (and I'm not sure that I want it to at this point in time :) ). If this is a false positive, how do I 'allow' the detection?
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well,is the file svshost.exe or svchost.exe ?
     
  3. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    This is how NOD32 describes the file:

    C:\WINDOWS\system32\svshost.exe - Win32/IRCBot.LH trojan
     
  4. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Colin, RejZor has a valid point. if its SVSHOST.EXE you can delete this file. if its SVCHOST.EXE please give us the whole path. the best idea would be to submit this file to NOD32 for inspection.
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    geez you are fast. looks like the legitimate file. should be 12800 bytes long. submit it to NOD32. they'll analyse and decide.
     
  6. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Definitely svShost.exe.

    OK, being new to this game and saving a bit of time, what is the procedure for sending files to ESET? Do I need to do anything in particular?

    I apologise in advance if these are dumb questions :oops:
     
  7. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Dumb Question, just found the info on the ESET site!!
     
  8. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    ah i should check my eyes again. well Colin if its SVSHOST.EXE and residing in system32 directory its a bad bad thing. check if you have SVCHOST.EXE in the same directory which should be 12800 bytes long. its OK you can ask your questions. just mail the file to this address sample@nod32.com
     
  9. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    OK, I have svC at 13KB and svS at 34KB.

    Now, how do I get rid of this thing - just delete it? (of course after sending it to ESET) Norton used to do this sort of thing for me!!! and this makes me just a little nervous - especially as you say it is a 'bad bad thing' !! :eek:

    BUT, the analyst side of me wants to know more about it - as long as it doesn't do me any harm :D
     
  10. Mr. Hrmm

    Mr. Hrmm Guest

    If you want, you could upload the svS file to Kaspersky too. Always nice to have a second opinion. But I'm sure that's a nasty, it's not a system process.

    Kaspersky
     
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Just delete it. This is one of the most common methods how to confuse users with names similar to those used by system.

    Examples (1:is legit, 2:is fake/malware)
    1:lsass.exe
    2:lsasss.exe
    1:iexplore.exe
    2:iexplorer.exe
    1:svchost.exe
    2:svshost.exe

    Notice small hidden differences?

    I have also seen files that are named 100% same as legitim files,but they were just placed in the wrong place (explorer.exe cannot be located in %win%/system32 folder)
     
  12. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Submitting as a zipped file to both companies - my ISP threw back the original email sas suspected of containing Netsky virus :rolleyes:
     
  13. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Kaspersky responded already.

    This is IRC based backdoor program.
    We already detect it as Backdoor.IRCBot.gen

    Feel a lot happier now
    :D

    Thanks Guys
     
  14. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Colin delete that file. if you want to submit then remember this rule of thumb: ALWAYS SUBMIT VIRUS IN PASSWORD PROTECTED ARCHIVE AND REMEMBER TO MENTION THE PASSWORD IN YOUR MAIL. in this way no one will be able to scan and delete your mail...well almost.
     
  15. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    The best way to submit so that ALL av companies get the file as this benefits everyone (there should be no competition in this area between av companies) is to go to dslreports/broadband reports security forum and use the submission tool there. This will submit to all av companies. We have another thread in this forum discussing the fact that Eset may or may not have agreements with all other av vendors to share and the purported lack of sharing may be why Eset lags in adding threats to its base (or may not be). We users can help all vendors and all users by always submitting to every vendor.

    The procedure "To Submit Suspected Malware" is about 2/3rds of the way down the page at this link:

    http://www.dslreports.com/faq/8428#submit
     
  16. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    I have archived the file. It would appear that this is an 'old' threat and I will review what has happened, along with the links and set up a procedure to follow next time something like this happens.

    Saw the thread regarding ESET and the 'other AV's' thought that on this type of thing, everyone should co-operate, it's in ALL of our interests. But then, one hears the voice of profits and market lead (sigh).

    Thanks for the inputs people. I sincerely appreciate every single response. I will sleep happier tonight knowing how NOD32 intercepted the Trojan and also with the responses I have received on this Forum. RESPECT!!!
     
Thread Status:
Not open for further replies.