Hi charlesbsbio,
Hello, the malware can be identified as: Backdoor.Win32.IRCBot.nw
alias IRC.Bot SS, as you can read here:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=108446----------
roj/IRCBot-FP is a backdoor Trojan for the Windows platform.
Troj/IRCBot-FP has the functionalities to:
- disable Anti-Virus applications
- access the internet and communicate with a remote server via HTTP
- allow unauthorized access to the infected computer via IRC
- hide processes
When run Troj/IRCBot-FP copies itself to <System>\smss.exe and creates the following files:
<System>\netf.dll
<System>\nvsvcd.exe
The file netf.dll and nvsvcd.exe is detected as Troj/IRCBot-FP.
Troj/IRCBot-FP sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.nvsvc
<System>\smss.exe /w
Troj/IRCBot-FP creates a service named "Windows Log" and sets registry entries under:
HKLM\System\CurrentControlSet\Services\Windows Log
----------------------------------
Here is some more information about this. Some of the text is in German but the general information is informative here:
http://virus-protect.org/artikel/dienste/nvsvcd.htmlAbove link was pre-scanned by Dr.Web (R) daemon for Linux v4.33
(4.33.0.09211) Copyright © Igor Daniloff, 1992-2005
Last update time: 2006-05-01,19:43:27
File size: 34562 bytes
nvsvcd.html - archive HTML
>nvsvcd.html/Script.0 - OK
>nvsvcd.html/Script.1 - OK
>nvsvcd.html/JavaScript.2 - OK
>nvsvcd.html/Script.3 - OK
nvsvcd.html - OK
Just a few steps closer to resolving this phenomenon.
polonus