intcp32.exe - Dangerous
intcp32.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
The worm includes Distributed Denial of Service (DDoS) capabilities and also tries to steal the CD keys of a number of games.
Also Known As: Backdoor.IRC.Bot.gen, Backdoor.IRC/SdBot, W32/Sdbot.worm.gen
Copies itself as %System%\intcp32.exe.
Calculates a random IP address.
Attempts to authenticate as an administrator to the calculated IP address. If this worm is successfully authenticated, it will copy itself as:
\\Admin$\intcp32.exe
\\Admin$\system32\intcp32.exe
\\C$\winnt\system32\intcp32.exe
\\C$\windows\system32\intcp32.exe
Remotely schedules a task to run the worm on a newly infected computer.
Connects to an IRC channel on a predetermined IRC server to receive remote instructions, such as:
Ntscan: Scans for computers with weak administrator passwords, and then copies itself to these machines.
Syn: Performs a SYN flood attack with a data size of 55808 bytes.
Sysinfo: Retrieves the infected machine's information, such as CPU speed and the amount of memory.
Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: "Threaded"="intcp32.exe"