“The startkeylogger bug”

On the 22nd of January 2006 a post was made on with regards to the bug, which read:

I’m not quite sure what the problem is with this, but I’m told its a problem with norton personal firewall.

When you type “startkeylogger” in a populated IRC channel you will notice that many of the clients in the channel quit, with the quit message: “Read error: Connection reset by peer”.

Fun Fun Fun!

Almost a month later people found the site and tested out the bug for themselves.

On the 27th of February 2006 a second post was made on

After my post last month about the norton startkeylogger bug i’ve had a massive increase of visitors this month from people interested in this problem.

For those who are interested in this bug i’d like to make a few things clear…

It does work, i’ve tested it.
This bug has been around for about 2 years. I made the post after someone reminded me of it.
It seems you can also use stopkeylogger, both of these commands are triggers for the Spybot trojan.
You can also use these commands in the topic and as a nickname, it will also have the same effect.
This command only appears to work when you’re connected to a server on port 6667-7000 such as an IRC server, by norton doing this it is meant to protect you from the Spybot trojan.

I would also like to point out that I didn’t make the post so people would abuse it, I simply made it as it was an interesting bug, and i’ve yet to find out how to report bugs to symantec, so I wanted to let people aware of the issue.

In addition to all of this, another bug was reported, which when said across mIRC seemed to disconnect certain netgear and linksys products. The string was:

DCC SEND “fourteen chrs or more string”

After this, people then decided to merge the two bugs together to form:

DCC SEND “startkeylogger”

A lot of media attention came from this and on the 3rd of March 2006 a final post was made on

Recently i’ve been really over welmed with interest in this startkeylogger bug, so much so this article was created:

The guy called me a “hacker”, I like to think myself as more of a “security expert”.

Yesterday I found that this guy had joined my channel on EFnet, trying to contact me.


[03:29:31 am] * LesserGee ([email protected]) has joined #hm2k
[03:29:54 am] HM2K: it’s Brian Krebs, reporter from here
[03:30:05 am] i tried to get your attention earlier today
[03:30:30 am] i see you noticed the blog post got Slashdorked
[03:30:45 am] that’s what i was afraid of, so that’s why i wanted to speak with you first
[03:31:07 am] does anyone in this channel ever talk?
[04:09:02 am] * LesserGee ([email protected]) Quit (leaving)

He obviously didn’t try very hard to contact me, he didn’t even email me.

Anyway, it seems it is on slashdot here:

Point is, if you want to contact me, email me or stick around.

Anyway, on top of all that TheRegister have attempted to link me, but it seems they have invented a new protocol named “hhttp”.



Fix your html code, muppets!

It has been reported that Symantec and Netgear have since fixed these bugs.


The contents of this article has been archived on behalf of by Phurix, the original posts are listed below:

Any opinions provided in this article are that of the original author and not of Phurix.