netvaer.exe and noview.exe - Trojan ?

I’n running W2K + the latest version of Avast! + Zonealarm

Just stumbled across something interesting. I don’t know where it came from but I suspect its been around on my Pc for some time.

Nrtvaer.exe installed itself in c:\winnt\system32\netvaer.exe along with a program named noview.exe

Made a start up entry in the Registry to run
noview.exe netvaer.exe

netvaer.exe installs itself as a process. which you can’t delete the file without killing the process.

netvaer.exe has even got the cheek to add itself to the add/remove programs panel.

It represents itself with the logo of a very old MIRC release.

Anyway once the beast is running it appears to act as a DCC server.

Point is Avast! didn’t catch it on a full scan.

My machines tend to stay on indefinately and the only reason I caught it was because I have set up a Linux box with IP masquerading. It was when I was setting up the Linux firewall that I saw lots of ports sending packets to some clown at 209.126.191.3 (irc.beerbeerbeer.net).

I think this definately qualifies as a Trojan that Avast should catch.

What say you ?

Hi,

please scan the file(s) with KAV below and send them in a pwd-protected ZIP to:

virus (at) asw (dot) cz

Sorry already the crap and cleaned the registry. If its any use I’ll post everything I can remember regarding symtoms etc.
Post a message if you this would be helpful.

Kind Regards

Chris

I’m not on Alwil team, but I think they’d need the actual files

I’ve done a little digging with Google and theres one entry for netvaer.exe and nothing for noview.exe. The link tells you how to get rid of it - same way I expunged the beast. But the page has no mention of noview.exe.

After that, and a little thought, I suspect it gets onto the system via a hacked installation of MIRC, admittedly this is a guess.

Cheers

Chris