srvcp Trojan Horse

This page is part of the Trojan Horse Attacks Help Page at trojan and pertains to the “srvcp.exe” trojan.

Have you suddenly been finding yourself K-lined (banned) on servers? Since the middle of May, thousands of K-lines have been put in with these or similar reasons:

• Drone infected
• Srvcp-infected
• Drones not allowed
• Trojan infected
• clonebots prohibited
• Drone abuser

If any of those look familiar, suspect that you have run a file which installed the srvcp trojan on your computer. It may also be that if you are on a LAN (Local Area Network), a different computer on your network is infected if you are not. Use the CTRL-ALT-DEL keys to check your open processes. If srvcp.exe is among them, you are infected.

The trojan infected files we know so far: CDRWin3.8.zip. DivX_e3.exe, PSXCopy.v6.0.zip There may be others.

This trojan puts an IRC client on EFnet or DALnet (and maybe on other networks) from the computer of the infected user. These IRC clients, called ‘drones’, are not usually noticed by the infected user. These join a channel specified by the trojan runners, where they can be commanded by the trojan runners.

Once you’re infected, this trojan gives the attackers the ability to continue to do more damage. It gives them FTP access to your computer, along with other commands which they can use. Given the severity of this attack, the only safe solution might be to erase all files on your machine with a re-format. See our Trojan Horse Attacks help page for more information on how to do this properly.

If you want to take the chance and just stop the effects of this trojan, The latest updates for McAfee will find/fix this trojan. Alternatively, the HackFix Project has a help page which includes more information and directions for a specific, manual fix.

More general advice regarding trojans may be found on our Trojan Horse Attacks help page.