Re: Are these Trojans?

proch_omen_at_hotmail.com
Date: 12/31/04


Date: 31 Dec 2004 12:51:58 -0800

Ok, I remember opening a JPG of some redneck with a shotgun from
USENET. This must have exploited a buffer overflow in Outlook Express.

MartynB wrote:
> I'm running XP Pro SP2 and use AVG free, Spybot, Ad-Aware SE and
a-squared
>
> 2 new processes have appeared yesterday and are both loaded by
registry at
> startup as:-
>
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
> "LangSupportEx"="mspmspv.exe"
> "IPConfig"="svcxnw32.exe"
>
> and:-
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
> "LangSupportEx"="mspmspv.exe"
> "IPConfig"="svcxnw32.exe"
>
> Both files are located in C:\WINDOWS\system32\
> Properties:-
> mspmspv.exe 18.5 KB (18,976 bytes) 30 December 2004, 11:26:14
> svcxnw32.exe 18.5 KB (18,976 bytes) 30 December 2004, 18:28:59
>
> According to netstat, the processes are established to the following
> addresses using TCP:-
>
> mspmspv.exe:-
> 17-112.202-68.se.rr.com [68.202.112.17] on port 6667
>
> svcxnw32.exe:-
> astound-64-83-195-190.mn.astound.net: [64.83.195.190] on port 6667
>
> I have scanned using all the installed malware/virus scanners
mentioned
> above but they are not detected. I've also tried a web search but so
far no
> luck.
>
> Does anyone have any info about these? They look like Trojans to me.
How did
> they get in?
>
> Martyn