Re: [Full-disclosure] svchost.exe try to send http outside
From: Josh Zlatin-Amishav (josh_at_tkos.co.il)
Date: Wed, 17 Aug 2005 13:34:50 +0300 (IDT) To: email@example.com
On Wed, 17 Aug 2005 firstname.lastname@example.org wrote:
> Dear all,
> I discovered that an "svchost.exe" start when the server start.
> This svchost.exe try to sync_sent to random http host when I view from
> netstat, active port, and pviewer.
> However, does anyone know which worms/torjon/normal process causes the
> svchost do such job?
This sounds like Hotword.b.trojan. The Hotword.b trojan is known to use
the following files:
"0xFFsvchost.exe" (note the 0xFF is obviosly unreadable)
in the System32 directory.
FYI this trojan was recently used in a massive corporate spy case in Israel.
-- - Josh and how to stop this? > Is this a normal prcoess? > > My Server is a fully patched windows 2003 server. net. > The svchost.exe is microsoft verifid and located at c:\windows\system32 > > Regards, > Howard > > > This e-mail (and any attachment (s)) is confidential and for use only by > intended recipient (s). Access by others is unauthorised. Its content > should not be relied upon and no liability or responsibility is accepted by > us, without our subsequent written confirmation of its content. If you are > not an intended recipient, please notify us promptly and delete all copies > and note that any disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on the information it contains is > prohibited and may be unlawful. Further information on Guoco Group is > available from http://www.guoco.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/