SVKP.SYS Service?

Discussion in 'Trojan Defence Suite' started by ibeme99, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. ibeme99

    ibeme99 Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    39
    Anyone know what this SVKP.SYS module is which runs as a service? It looks to be some sort of legacy driver. It has a description of SVKP driver for NT. Although it is marked copyright Microsoft, what bothers me a lot is in the company name field inside the properties, it has the string "AntiCracking" . Huh? I stopped this service and just checked. It is still stopped. I'd like to know what this is before I rename it and maybe find that I can't boot or something.

    I Googled it and found it mentioned obliquely by a number of people, but only Mcafee calls it a trojan. However, I don't find any of the symptoms that are described in this McAfee writeup - http://vil.nai.com/vil/content/v_101134.htm

    The above port 6667 is not open. I don't have a file named NTDSAPI.EXE on my system.

    So I did a text dump the module and this is what I see:


    Code:
    File pos   Mem pos	  ID   Text
    ========   =======	  ==   ====
    0000004D   0001004D	  0   !This program cannot be run in DOS mode.
    000000B0   000100B0	  0   Richg
    000001C8   000101C8	  0   .text
    000001EF   000101EF	  0   h.data
    00000240   00010240	  0   .rsrc
    00000267   00010267	  0   B.reloc
    00000459   00010459	  0   QPPj"WPV
    000004FE   000104FE	  0   IoCompleteRequest
    00000512   00010512	  0   IoCreateDevice
    00000524   00010524	  0   IoCreateSymbolicLink
    0000053C   0001053C	  0   IoDeleteDevice
    0000054E   0001054E	  0   IoDeleteSymbolicLink
    00000566   00010566	  0   RtlInitUnicodeString
    0000057C   0001057C	  0   ntoskrnl.exe
    00000925   00010925	  0   3I4r4y4
    00000400   00010400	  0   \Device\SVKP
    0000041A   0001041A	  0   \DosDevices\SVKP
    00000606   00010606	  0   VS_VERSION_INFO
    00000662   00010662	  0   StringFileInfo
    00000686   00010686	  0   040904B0
    0000069E   0001069E	  0   CompanyName
    000006B8   000106B8	  0   AntiCracking
    000006DA   000106DA	  0   FileDescription
    000006FC   000106FC	  0   SVKP driver for NT
    0000072A   0001072A	  0   FileVersion
    00000756   00010756	  0   InternalName
    00000770   00010770	  0   SVKP.sys
    0000078A   0001078A	  0   LegalCopyright
    000007A8   000107A8	  0   Copyright (C) Microsoft Corp. 1981-1999
    000007FE   000107FE	  0   OriginalFilename
    00000820   00010820	  0   SVKP.sys
    0000083A   0001083A	  0   ProductName
    00000854   00010854	  0   SVKP driver for NT
    00000882   00010882	  0   ProductVersion
    000008B2   000108B2	  0   VarFileInfo
    000008D2   000108D2	  0   Translation 
    Note there is a Microsoft copyright but this could just be a fake.
    So then I ran a trojan scan with TDS-3. It found no problems and ignored this supposed trojan file (SKVP.SYS)

    Anyone know what this SVKP.SYS thing is and what it does? What does it come from? Is it a trojan as McAfee says? If so, why doesn't TDS-3 find it?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi ibeme99, It may be a false positive or a corrupted download.
    Did you have all the scan control options enabled when you did the scan?

    Please zip the file and send it to support@diamondcs.com.au for analysis.

    HTH Pilli
     
  3. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
  4. 0--0

    0--0 Guest

    SVK Protector is a commercial protector which shall (but does not) prevent software piracy. In principle, this program is harmless although it's really annoying that it installs a driver (svkp.sys) on your computer.

    SVK Protect *may* also be used to camouflage malware. Most scanners
    cannot detect malware which is protected with SVKP (see, for instance, the recent scan logs which I have posted in the Scheinsicherheit Forum). I do not believe that many attackers use SVKP but maybe the trojan described by NAI does.

    Moreover, malware can be called "svkp.sys" and installed as a driver so that a user may think that it's just SVK Protector running on the computer.

    Therefore, I would also recommend to do what Pilli said: ask Gavin to analyse the file. I would be great if he could post the results of his analysis.
     
  5. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    If it was me I would email mcafee to. They are the ones saying its a trojan. I looked on google to and there isnt much about it and mcafee is the only one that says this from a google search with that name. From the google groups from what I seen, people didnt know it was installed and didnt install it and didnt like it being installed without them knowing it and removed it.
     
  6. ibeme99

    ibeme99 Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    39
    Thanks. TDS didn't flag it as a trojan and someone else in another forum pointed me to http://www.anticracking.sk/ which looked like a fit, so I just deleted the file and rebooted. Everything seems to be working OK as of now. If this file is tied to some program that requires it to run, I guess I'll get some sort of message down the line.

    I really think it is a big security hole in Windows to allow any program to install drivers and files into system libraries. And even if Windows has not way to prevent a driver file from being installed, it should mark it somehow to not allow it to run until the user gives full and explicit permission to do so.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Try Process Guard from, this may give you the sort of control you are lookng for.

    Pilli
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://vil.nai.com/vil/content/v_101134.htm
    this you mean?
    Hope you did submit the file to Gavin before deleting it.
    When i find something suspicious i either rename the extension or zip it so in case any legal program seems to need it it is still there to be placed back.
     
  9. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    I found this same file in my driver folder a while back and have been wondering about it ever since(TaskInfo2003 is good for this kind of detection). My question(besides those already asked) is where does SVKP.SYS come from? Is it part of the original installation of the os? Ibeme -many here will be anxious to what your experience is after getting rid of the file. Will you still be able to update your os using msupdate? Does anything down the road fail to run? etc
     
  10. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    Its probally something that installs silently without telling you. That is what I have fount anyway, like games or music. The new beastie boys cd are suppose to install software like that, http://clearstatic.org:2396/node/view/512 I am not saying Beastie Boys are using that protection but just a example. I figure games and music cd's are most likely doing it. Might want to check the files and dirs on any new software you have installed or any music cd you have listened to. Might be able to find even though it installs silently. I am sure the dir or file is on the cd and visible hopefully.
     
  11. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    I tried to locate this driver and couldn't. Taskinfo shows it in the expected place C:\WINDOWS\system32\drivers. But when I look in that directory SVKP is no where to be found. Strange. Maybe Jooske or Pilli knows how to locate this driver?
    Thanks.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Bluekey23, Have you set windows explorer options using Tools - Folder options - View and enabled the "Show didden files and folders" then unticked "Hide protected operating sytem files"

    Doing this should allow you to see all the files on your PC.
     
  13. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Pilli,
    Thanks. yes, I did that. Also I've disabled SVKP and so far haven't noticed any problems.
    If anyone learns more about this driver, I'd be interested. For example, it would be nice to know its origin.
     
  14. o--o

    o--o Guest

    @bluekey

    "My question(besides those already asked) is where does SVKP.SYS come from?"

    "If anyone learns more about this driver, I'd be interested."

    I am slightly puzzled. I have already explained this stuff. Why are you still asking? ;-)

    Again: The driver usually comes from SVK Protect. The driver is a part of this commercial protection system. Unless you send this driver to Gavin, to me or to someone else nobody can tell you whether it is really the original SVK Protect driver or - let's say - a renamed rootkit driver.
     
Thread Status:
Not open for further replies.