Re: [Full-disclosure] svchost.exe try to send http outside
From: Josh Zlatin-Amishav (josh_at_tkos.co.il)
Date: 08/17/05
- Previous message: howard.lee_at_guoco.com: "[Full-disclosure] svchost.exe try to send http outside"
- In reply to: howard.lee_at_guoco.com: "[Full-disclosure] svchost.exe try to send http outside"
- Next in thread: Dave Korn: "[Full-disclosure] Re: svchost.exe try to send http outside"
- Reply: Dave Korn: "[Full-disclosure] Re: svchost.exe try to send http outside"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Aug 2005 13:34:50 +0300 (IDT) To: howard.lee@guoco.com
On Wed, 17 Aug 2005 howard.lee@guoco.com wrote:
> Dear all,
>
> I discovered that an "svchost.exe" start when the server start.
> This svchost.exe try to sync_sent to random http host when I view from
> netstat, active port, and pviewer.
>
> However, does anyone know which worms/torjon/normal process causes the
> svchost do such job?
Hi Howard,
This sounds like Hotword.b.trojan. The Hotword.b trojan is known to use
the following files:
"_svchost.exe"
"0xFFsvchost.exe" (note the 0xFF is obviosly unreadable)
"Outlook Express"
in the System32 directory.
FYI this trojan was recently used in a massive corporate spy case in Israel.
For more info See here:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.b.html
http://seclists.org/lists/fulldisclosure/2005/May/0653.html
--
- Josh
and how to stop this?
> Is this a normal prcoess?
>
> My Server is a fully patched windows 2003 server. net.
> The svchost.exe is microsoft verifid and located at c:\windows\system32
>
> Regards,
> Howard
>
>
> This e-mail (and any attachment (s)) is confidential and for use only by
> intended recipient (s). Access by others is unauthorised. Its content
> should not be relied upon and no liability or responsibility is accepted by
> us, without our subsequent written confirmation of its content. If you are
> not an intended recipient, please notify us promptly and delete all copies
> and note that any disclosure, copying, distribution or any action taken or
> omitted to be taken in reliance on the information it contains is
> prohibited and may be unlawful. Further information on Guoco Group is
> available from http://www.guoco.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: howard.lee_at_guoco.com: "[Full-disclosure] svchost.exe try to send http outside"
- In reply to: howard.lee_at_guoco.com: "[Full-disclosure] svchost.exe try to send http outside"
- Next in thread: Dave Korn: "[Full-disclosure] Re: svchost.exe try to send http outside"
- Reply: Dave Korn: "[Full-disclosure] Re: svchost.exe try to send http outside"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
