[2005/Jan/10] After finding this on an actual system in the wild, it strikes me that there's only a SINGLE Google hit for "ntlmscp", leading to: http://www.cs.uwaterloo.ca/~mpatters/SWG/evilexp.htm This page, authored in Nov 2003, details what is obviously a rather malicious trojan/backdoor and associated IRC-based botnet, yet Norton AV (2003,2005 tried) seems unable to pick up on this. Neither does SpyBot or MS-AntiSpyware. And CERT and ISC who've been informed of this in Sept. 2003 have been mum. - Strikes Windows (a redundant statement) - listens on local port 19909/TCP - connects to private IRC servers on various hosts at 33335/TCP, usually from 1033/TCP (the first assigned windows 'ephemeral' port?) - the sign of a botnet. [This port seems to be used by "Empire Earth", an online multiplayer game, but there's almost no Google references to that either] - is cracking Windows NTLM password hashes, and presumably communicates them via the botnet, greatly compromising security on all systems effected. - present in registry: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtlmScp HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NtlmScp HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtlmScp (variations on the second key: appears in ControlSet002 instead) - Places a read-only, protected c:\windows\system32\explorer.exe (128026 bytes) that can't be removed without shutting a system down into console mode. The particular instance I have found was connecting to 64.35.159.154 33335/tcp, a 'secured' private IRC server calling itself "update.microsoft.com", running on a possibly compromised host. *** Connecting to port 33335 of server 64.35.159.154 *** Welcome to the Internet Relay Network bofh (from update.microsoft.com) *** Your host is update.microsoft.com, running version beware1.5.7 *** This server was created Tue Jul 13 2004 at 20: 36:07 GMT *** update.microsoft.com beware1.5.7 dgikoswx bdDiklmnoprstv *** MOTD File is missing *** on 1 ca 1(4) ft 10(10) *** Mode change "+ix" for user bofh by bofh *** BnbhFd.F2J3e2.virtual is now your hidden host Is any service provider present here seeing substantial amounts of TCP traffic from/to the ports above? Who has the power to run a botnet, evading AV vendors and CERT/ISC alike, and staying sufficiently stealthy to be ignored by all but one security department at ONE educational institution over a period of 14 months?