Svchelper.exe...probably unknown NewHeur_PE virus

Thanks!

That would appear to be the case. It also creates this startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SYSTEM service helper"
Type: REG_SZ
Data: E:\Documents and Settings\Ton\My Documents\Baddies\svchelper.exe

Traffic:

10/07/2005 21:03:27pm OPEN TCP 0.0.0.0:0 0.0.0.0:0 Success 0 E:\Documents and Settings\Ton\My Documents\Baddies\svchelper.exe:1652
10/07/2005 21:03:27pm CONNECT TCP 0.0.0.0:1036 62.211.69.7:6667 Success E:\Documents and Settings\Ton\My Documents\Baddies\svchelper.exe:1652 Italy
10/07/2005 21:03:27pm SEND TCP 192.168.1.11:1036 62.211.69.7:6667 Success 361 E:\Documents and Settings\Ton\My Documents\Baddies\svchelper.exe:1652 Italy
10/07/2005 21:03:27pm SEND TCP 192.168.1.11:1036 62.211.69.7:6667 Success 161 E:\Documents and Settings\Ton\My Documents\Baddies\svchelper.exe:1652 Italy
10/07/2005 21:03:28pm RECEIVE TCP 192.168.1.11:1036 62.211.69.7:6667 Success 67 E:\Documents and Settings\Ton\My Documents\Baddies\svchelper.exe:1652 Italy
10/07/2005 21:03:39pm RECEIVE TCP 192.168.1.11:1036 62.211.69.7:6667 Success 82 E:\Documents and Settings\Ton\My Documents\Baddies\svchelper.exe:1652 Italy
10/07/2005 21:04:27pm CLOSE TCP 192.168.1.11:1036 62.211.69.7:6667 Success E:\Documents and Settings\Ton\My Documents\Baddies\svchelper.exe:1652 Italy
1

irc1.tin.it = [ 62.211.69.7 ]

domain: tin.it
org: TI MEDIA SpA
descr: TI MEDIA SpA
admin-c: MMM134-ITNIC
tech-c: STT2-ITNIC
postmaster: SPT1-ITNIC
zone-c: SZT1-ITNIC
nserver: 194.243.154.62 dns.tin.it
nserver: 195.31.190.31 dnsca.tin.it
remarks: Delegated-To tin.it
mnt-by: TIN-MNT
created: 19961003
expire: 20060531
source: IT-NIC
person: MAURIZIO MARIA MONTI
address: Via C.Colombo 142
address: ROMA 00144
nic-hdl: MMM134-ITNIC
New size: 3.452 bytes

 

OK, Kaspersky just came back to me (fast as always...):

Detection added as Backdoor.Win32.RBot.uj

 

Good job ESET!!!

 

Hear, hear! http://castlecops.com/modules/Forums/images/smiles/eclipsee_gold_cup.gif

 

... and I just added this one to the CC Startup database as well

http://castlecops.com/s10258-SYSTEM_service_helper.html

 

Does NOD32 now detect it with signatures as well?

 

Yes they do:

Sophos have it here: http://www.sophos.com/virusinfo/analyses/w32monkbda.html

Wouldn't it be nice if everyone would agree... LOL

 

Heuristics of NOD32 prove to be the best yet again!

Great job, ESET!

 

Agreed.