Tuesday Morning is Off to a Great Start

Something called HTCPIP.DLL is trying to access 213.105.33.222:8080. My firewall blocked it. Normally when a new program tries to phone home, I do a search of my disk to find out what directory it lives in, to see if it is part of something I approve of. And I do a google search to see what other people say it does.

In all the years I’ve been doing this, this was the first time both searches turned up negative. Regedit reveals one entry with the value HTCPIP.DLL in the registry at My Computer\HKEY_CURRRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31f3-4768-11D2-BE5c-00A)C9A83Da1}\FilesNamedMRU\000\ (Type REG_SZ)

This is of course as clear as mud.

So I ran an online virus-checker. The only thing worth worrying about was a downloaded file carrying something that identified as “Backdoor.Win32.Breplibot.v”… but there’s nothing with that exact name at google either. (The Backdoor.Win32.Breplibot family doesn’t sound very nice, though.)

Have I got a virus so new that no one has recorded it? Is it sitting in some Sony-rootkit-like partition I don’t even know about?

This entry was posted in Software. Bookmark the permalink.

4 Responses to Tuesday Morning is Off to a Great Start

  1. Ed Bott says:

    The good news is that the Registry entry you found was just from the search you did of your system looking for this file (the MRU in the Registry string means the value was in a Most Recently Used list of things you’ve searched for in Explorer).

    The rest of the story isn’t as comforting. Some versions of Breplibot do indeed hide themselves in the Sony Rootkit partition. And they do indeed try to communicate with a Web server via port 8080.

    These are not good symptoms.

    The virus is going around via an email that claims to want you to view a photo for a news site. It includes a Zipped attachment that contains an exe file. I’ve seen a bunch of reports of it lately.

  2. Ed Bott says:

    The good news is that the Registry entry you found was just from the search you did of your system looking for this file (the MRU in the Registry string means the value was in a Most Recently Used list of things you’ve searched for in Explorer).

    The rest of the story isn’t as comforting. Some versions of Breplibot do indeed hide themselves in the Sony Rootkit partition. And they do indeed try to communicate with a Web server via port 8080.

    These are not good symptoms.

    The virus is going around via an email that claims to want you to view a photo for a news site. It includes a Zipped attachment that contains an exe file. I’ve seen a bunch of reports of it lately.

  3. Michael says:

    The remote host that your machine is trying to get to is cpc1-nmkt1-3-0-cust222.cmbg.cable.ntl.com [213.105.33.222]. ntl.com is a British based broadband provider.

  4. Eric says:

    Is it ironic that an EFF guy may have had his computer damaged by the rootkit then exploited by a virus?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.