Re: [Full-disclosure] svchost.exe try to send http outside

From: Josh Zlatin-Amishav (josh_at_tkos.co.il)
Date: 08/17/05

  • Next message: Mike: "RE: [Full-disclosure] svchost.exe try to send http outside"
    Date: Wed, 17 Aug 2005 13:34:50 +0300 (IDT)
    To: howard.lee@guoco.com
    
    

    On Wed, 17 Aug 2005 howard.lee@guoco.com wrote:

    > Dear all,
    >
    > I discovered that an "svchost.exe" start when the server start.
    > This svchost.exe try to sync_sent to random http host when I view from
    > netstat, active port, and pviewer.
    >
    > However, does anyone know which worms/torjon/normal process causes the
    > svchost do such job?

    Hi Howard,
    This sounds like Hotword.b.trojan. The Hotword.b trojan is known to use
    the following files:
    "_svchost.exe"
    "0xFFsvchost.exe" (note the 0xFF is obviosly unreadable)
    "Outlook Express"

    in the System32 directory.

    FYI this trojan was recently used in a massive corporate spy case in Israel.

    For more info See here:
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.b.html
    http://seclists.org/lists/fulldisclosure/2005/May/0653.html

    --
         - Josh
    and how to stop this?
    > Is this a normal prcoess?
    >
    > My Server is a fully patched windows 2003 server. net.
    > The svchost.exe is microsoft verifid and located at c:\windows\system32
    >
    > Regards,
    > Howard
    >
    >
    > This e-mail (and any attachment (s)) is confidential and for use only by
    > intended recipient (s). Access by others is unauthorised. Its content
    > should not be relied upon and no liability or responsibility is accepted by
    > us, without our subsequent written confirmation of its content. If you are
    > not an intended recipient, please notify us promptly and delete all copies
    > and note that any disclosure, copying, distribution or any action taken or
    > omitted to be taken in reliance on the information it contains is
    > prohibited and may be unlawful. Further information on Guoco Group is
    > available from http://www.guoco.com
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    

  • Next message: Mike: "RE: [Full-disclosure] svchost.exe try to send http outside"

    Relevant Pages

    • Re: [Full-disclosure] patch-9449
      ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ... than the intended recipient is unauthorized and may be illegal. ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] stcloader.exe / slmss.exe ??
      ... amateurs built the ark; ... If you are not the intended recipient, ... [Full-Disclosure] stcloader.exe / slmss.exe ?? ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)
    • Re: [Full-disclosure] patch-9449
      ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ... than the intended recipient is unauthorized and may be illegal. ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] Robert S Johnson is out of the office.
      ... [Full-Disclosure] Robert S Johnson is out of the office. ... responsible for delivering this message to the intended recipient, ... Charter: http://lists.netsys.com/full-disclosure-charter.html ... This email and any attachments are strictly confidential and are intended ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] Odd logs
      ... one of my web server log files: ... The server is an IIS 5.0 server. ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)